Prepare & Practice – BSW #207
Full Audio
View Show IndexSegments
1. Security Incidents: Simple Responses That Make All The Difference – David Chamberlin – BSW #207
What are some best practices for preparing for a security incident? David Chamberlin, Managing Director at CRA, Inc., joins Business Security Weekly to discuss preparation for a security incident and how to develop a communications plan that's simple and effective.
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
We're always looking for great guests for all of the Security Weekly shows! Submit your suggestions by visiting https://securityweekly.com/guests and completing the form!
Guest
David Chamberlin is a Managing Director of CRA’s Strategic Communication Practice. With 20+ years of global experience building and transforming teams for some of the world’s leading brands, David Chamberlin partners with leaders to strategically drive business results, build trust and credibility, strengthen relationships with stakeholders and successfully navigate and mitigate the critical issues affecting their organizations.
Prior to joining CRA, David served as the Chief Marketing Officer at SonicWall, a global cybersecurity leader, and as the Chief Communications Officer for The PNC Financial Services Group. He also helped found and lead Edelman’s global Data Security & Privacy Group, which helped organizations prepare for, respond to and recover from cybersecurity incidents with hundreds of millions of victims.
Hosts
2. Cyberinsurance, Breaches, Business Continuity, & Beyond! – BSW #207
In the leadership and communications section, Financial Targets Don’t Motivate Employees, Texas power outage flags need to revisit business continuity, Security job candidate background checks: What you can and can't do, and more!
Announcements
Don't forget to check out our library of on-demand webcasts & technical trainings at securityweekly.com/ondemand.
If you missed Security Weekly Unlocked, you can now access all of the content on-demand, whether you registered before the live event or not, by visiting https://securityweekly.com/unlocked and clicking either the button to register or the button to login!
Hosts
- 1. New York issues cyber insurance framework as ransomware, SolarWinds costs mountOn February 4, 2021, New York became the first state in the nation to issue a cybersecurity insurance risk framework (https://www.dfs.ny.gov/industry_guidance/circular_letters/cl2021_02) to all authorized property and casualty insurers. Noting that ransomware insurance claims jumped by 180% from 2018 to 2019 and doubled from 2019 to 2020, New York's Department of Financial Services (DFS) advised insurers to not make ransomware payments for three reasons: 1. The US Treasury Department's Office of Foreign Assets Control (OFAC) warns of the national security implications of paying a ransom, saying that insurers can be liable for ransom paid to sanctioned entities. 2. Even if insurers do pay a ransom it does not guarantee the victims will get their encrypted files or stolen data back. 3. Many insurers are not yet able to accurately measure cybersecurity risk. Without that gauge, “cyber insurance can therefore have the perverse effect of increasing cyber risk—risk that will be borne by the insurer." Major carrier-underwriters such as AIG and Zurich have mostly been following these recommendations already.
- 2. Financial Targets Don’t Motivate EmployeesIt’s natural for leaders to emphasize the importance of hitting financial targets, but making numbers the centerpiece of your leadership narrative is a costly mistake. Financial results are an outcome, they’re not a root driver for employee performance, and a growing body of evidence tells us that overemphasizing financial targets erodes morale and undermines long-term strategy. Leaders looking to motivate employees must instead use their time with their teams to build belief in the organizational purpose, the intrinsic value of the employees’ work, and the impact they have on customers, and each other. To do so, the authors recommend three tactics: 1) Reevaluate how you use your leadership airtime; 2) Discuss your customers with specificity and emotion; and 3) Resist the urge to widely share every measure of financial performance.
- 3. After the Breach and BeyondThe NIST 800-61 special publication (SP), Computer Security Incident Handling Guide outlines a detailed, pragmatic approach to actions organizations should conduct before, during, and after security incidents. It is incumbent upon every organization to develop their own Computer Security Incident Response Plan tailor-fitted for their needs after the data breach. Additionally, beyond the data breach, the organization must focus its attention on developing a culture of security that is pervasive throughout the enterprise concentrating its efforts on the following areas: 1. Institutional Reputation Repair and Restoration 2. IT Enterprise Risk Management Program 3. Information Security Awareness and Training 4. Governance and Information Security Strategic Planning
- 4. Texas power outage flags need to revisit business continuityFreezing conditions that caused Texas power outages affected businesses well beyond the state's borders, prompting a need for business continuity plans to be revisited.
- 5. Undervalued and ineffective: Why security training programs still fall shortResearch reveals a glaring disconnect between the need for security training and its perceived value. But organizations that have made their awareness programs a strategic priority and adopted more modern approaches are finding success.
- 6. Security job candidate background checks: What you can and can’t doEnterprise cybersecurity begins with a trustworthy staff. Here's 6 steps to ensure that current and prospective team members aren't hiding any skeletons: 1. Reference check 2. Identity confirmation 3. Court record check 4. Address corroboration 5. Education verification 6. Database check