Info Risk Today Podcast

Threat-centric security frameworks need to be supplemented with an approach based on user behavior, which is becoming a critical parameter in understanding organizations' risk postures, Forcepoint's Maheshwaran S says in an in-depth interview.

The latest ISMG Security Reports leads with a top DHS cybersecurity leader, Jeanette Manfra, providing a case study on how information sharing helped mitigate the WannaCry attack in the U.S. Also, the SEC mulls toughening its cyber risk reporting requirements.

Dr. Suzanne Schwartz of the FDA clears up some myths and misunderstandings about medical device security in an in-depth interview. She'll be a featured speaker at Information Security Media Group's Healthcare Security Summit, to be held Nov. 14-15 in New York.

A report on the head of Equifax contending that his company - not individual consumers - owns the personally identifiable information the credit reporting agency markets to lenders leads the latest version of the ISMG Security Report. Also, a preview of the ISMG Healthcare Security Summit.

The success of any security initiative comes down to one crucial element: an educated, engaged workforce. And that requires an effective security awareness program, says Mark Eggleston, chief information security and privacy officer at Health Partners Plans. But how can you tell if your program is working?

Security practitioners must do a much better job of prioritizing their investments based on the most significant risks their organizations face, says Zulfikar Ramzan, chief technology officer at RSA, who offers insights on "fighting the right battle."

The global cybersecurity skills shortage is real, and it's deeply impacting organizations' abilities to implement and manage new technology tools, says Lee Fisher of Juniper Networks. But worse, it's also affecting how organizations assess their adversaries.

CISO Mitchell Parker of Indiana University Health says healthcare organizations that have focused on HIPAA compliance when crafting security and privacy policies need to be making plans to comply with the EU's GDPR if they handle Europeans' data. How will that influence decisions about data protection?

The ISMG Security Report leads with a discussion about the sale of compromised remote desktop protocol credentials for as little as $3 on darknet marketplaces. Also, grading the performance of DHS in sharing cyberthreat information.

The latest ISMG Security Report features highlights from the recent panel discussion at the ISMG Fraud and Breach Prevention Summit in London on preparation for the European Union's General Data Protection Regulation set to be enforced next May.

To help prevent breaches caused by third parties, organizations need to improve their vendor risk evaluation methods, carefully assessing their business partners' processes and risk mitigation methods, says Anuj Tewari, CISO of HCL Technologies.

As the explosive growth of the internet of things continues, it's essential to take a structured approach to implement security-by-design with secure coding and end-to-end encryption of data, says Mumbai-based Juergen Hase, CEO of Unlimit, the IoT business unit of the Reliance Group.

Jennings Aske, CISO of New York-Presbyterian, says the healthcare sector is still struggling to figure out medical device security and contends that federal regulations have not been helpful in making it a priority.

The latest edition of the ISMG Security Report leads with an analysis of a British parliamentary probe into the WannaCry ransomware attack on England's National Health Service. Also featured: a discussion of cyber threats posed by outdated industrial systems.

When it comes to warding off phishing attacks, too many organizations are reliant on internal awareness campaigns. But a more proactive defense and controls are needed, says John "Lex" Robinson of PhishMe.

Litigation attorney Patricia Carreiro offers an analysis of whether malpractice or cyber insurance coverage - or neither - would come into play if a patient was injured as a result of a cyberattack against a healthcare entity, including an assault targeting a medical device.

Medical device cybersecurity scrutiny usually focuses on potential patient safety issues. But vulnerabilities identified in a cardiac pacemaker programming device illustrate the risks also posed to patient data privacy, says Billy Rios, a researcher who discovered the problem.

Malware is widely available in an "as-a-service" model on the cybercriminal underground to anyone with criminal intent and a bit of money, says John Shier, senior security adviser at Sophos, who explains exactly how the model works in this in-depth interview.

The latest ISMG Security Report features highlights from last week's panel discussion at the ISMG Fraud and Breach Prevention Summit in London on the implications of the Equifax data breach.

A new collaborative effort aims to advance "evidence-based security" for medical devices through the sharing of best practices, says Dale Nordenberg, M.D., leader of the Medical Device Innovation, Safety and Security consortium.

Is digital transformation an impending "disaster" - leaving more attack surfaces open to exploit and putting enterprises at further risk? Or is there a chance to rewrite how the security department operates? Former Burberry CISO John Meakin shares his views.

DataBreachToday Executive Editor Mathew J. Schwartz's examination of the growing threats facing the critical energy sector leads the latest edition of the ISMG Security Report. Also in this report: A discussion of safeguarding the telehealth marketplace.

An in-depth look at the DMARC anti-spoofing system - which the U.S. Department of Homeland Security this past week said it will require federal agencies to adopt - leads the latest edition of the ISMG Security Report. Also, continuous monitoring of the insider threat.

To be successful, the quest to mitigate insider threat risks must start at the time employees are hired and continue as they move into different positions requiring varying degrees of data access, says Suzanne Widup of Verizon Enterprise Solutions.

A look at President Donald Trump's pick for the Department of Homeland Security secretary, Kirstjen Nielsen, leads the latest edition of the ISMG Security Report. Also featured: Equifax's and TransUnion's problem with dubious code.

The RSA Conference returns to Abu Dhabi in November, and event organizers Linda Gray Martin and Britta Glade say this year's agenda is packed with new speakers and topics unique to this growing annual event.

With telehealth on the cusp of rapid growth, healthcare entities must carefully assess and address critical privacy and security issues, says regulatory attorney Emily Wein.

A discussion with ISMG Security and Technology Editor Jeremy Kirk about his chat with the cyber gang "The Dark Overlord," which threatened some U.S. school districts with extortion, leads the latest edition of the ISMG Security Report. Also, an update on surging IT security employment.

It is said that "Data is the new oil." If that's the case, then organizations need to do a far better job inventorying and securing their wells, says Laurence Pitt of Juniper Networks. He offers insights on leveraging and securing data.

Congress needs to elevate the position of the CISO at the Department of Health and Human Services so that the job not only has responsibilities within the agency but also an official role in helping the healthcare sector improve its cybersecurity, says Samantha Burch of HIMSS.

New York state's Department of Financial Services is enforcing minimum cybersecurity standards by which all banks and other financial services firms that it regulates must abide. Think of the new regulation "as a playbook or a guidepost," says cybersecurity attorney Paul Ferrillo.

An analysis on finding a replacement for Social Security numbers as an identifier for individuals leads the latest edition of the ISMG Security Report. Also, assessing Kaspersky Lab's responsibility for the hack of an NSA contractor's computer.

The upcoming enforcement of GDPR puts the spotlight on data governance, but what about the potential impact on vendor risk management? Jacob Olcott of BitSight discusses how to prepare for this new generation of cybersecurity regulations.

Leading the latest edition of the ISMG Security Report: A deep dive into how continuously monitoring user behavior could replace passwords as a means of authentication. Also, U.S. federal agencies continue to fall short on IT security.

Security programs fail because of too much emphasis on protection and not enough on detection and response, says Ira Winkler, president of Secure Mentem, who calls on CISOs to help change their organization's security priorities.

The key to simplifying the implementation of identity and access management, and streamlining integration with other systems, is to take advantage of industry standards, says Mark Perry of Ping Identity, an identity-defined security provider

The latest edition of the ISMG Security Report is devoted to a special report on how enterprises around the world should prepare for the European Union's General Data Protection Regulation, which starts being enforced in May.

The recent Equifax mega-breach demonstrates how essential it is to have a robust, well-tested incident response plan in place that includes a strong public relations component, says Heath Renfrow, CISO at U.S. Army Medicine

Leading the latest edition of the ISMG Security Report: an interview with NIST's Ron Ross about revised guidance on how to get C-suite executives to help shape information risk management. Also, DHS, FBI leaders outline goals for protecting the U.S. election system.

Artificial intelligence and machine learning are among the top industry buzzwords of the year. But how can AI truly make a significant impact on organizations' cybersecurity operations? Brian NeSmith of Arctic Wolf Networks offers insight.

Organizations are drowning in data, and they cannot even inventory it all - much less secure it. How, then, do they shift to focusing on their most sensitive data? Rob Douthitt of SolarWinds MSP offers new strategies.

Hospitals and physicians need to ramp up their security scrutiny of electronic health records systems as a result of recent changes in the Department of Health and Human Services' certification of EHRs, says privacy attorney David Holtzman.

It's the age of "open banking," and that means changes for banking institutions and their customers - as well as for the fraudsters. Shaked Vax of IBM Security Trusteer talks about new vulnerabilities and anti-fraud strategies.

Aetna will move from passwords to continuous behavioral authentication next year on its consumer mobile and web applications for better security and end-user experience, says Jim Routh, the health insurer's CISO.

Experts speaking out on how boards of directors and CISOs must do a better job in strengthening board involvement on cybersecurity matters leads the latest edition of the ISMG Security Report. Also, "Catch Me if You Can" impostor Frank Abagnale on the Equifax hack.

Network by network, device by device, today's security threats spread through an organization like wildfire. But Druce MacFarlane of Bricata says security leaders are making fundamental mistakes with their focus on perimeter and endpoint security.

Recent changes by the HHS to the certification program for electronic health record software could potentially weaken efforts to ensure EHRs meet federal requirements, including those that impact security, says attorney Maya Uppaluru, who formerly was on the HHS staff.

Analyzing the impact of a breach of computers at the U.S. Securities and Exchange Commission leads the latest edition of the ISMG Security Report. Also, exploring alternative plans to implement cybersecurity regulations on credit reporting bureaus in the wake of the Equifax breach.

In today's dynamic threat landscape, "real-time" is the operative phrase - and it needs to apply both to threat detection and incident response, says Tim Bandos of Digital Guardian. What are the required security controls and tools?

Are organizations making the same security mistake with APIs today that they made with their websites 10 and 20 years ago? Jeffrey Costa of Akamai Technologies says yes and offers insight on securing and caching APIs.