Reasons why April fools’ should be international cybersecurity awareness day!

Reasons why April fools’ should be international cybersecurity awareness day!

I HAVE ALWAYS LOVED APRIL FOOL’S. As far as I can remember, from my early childhood memories until today, I never lost the habit of doing some kind of silly harmless prank. Some were reasonably amusing, like when I posted a (obviously fake) check-in at the top of Mount Everest and informed a client that I would be late for an important meeting. Other instances led me to somewhat complicated situations, for example, when I changed the date of my birthday in social networks to 4/1. Aside from an entire day of online congratulations, (that was the point of the joke, by the way) at the end of the day, I discovered that my colleagues decided to throw a surprise party at work. Some of them were not entirely happy to know that it was all a joke, but in the end, we had a good laugh.

You may be wondering: What does this have to do with cybersecurity? Well, the fact is that over the years (and those small pranks had a part in it) I have noticed that during April fool’s people are far more skeptical regarding what is published on the internet. Is Google will print and send a hardcopy of email to your home? Oops, this must be a lie. Will Google launch a “pet-friendly” search engine for your cats and dogs? Of course not! Will Subway launch a line of “subzero” ice cream including tuna, chicken tikka and marinara meatballs flavors? That is quite funny, but no truth in it.

Homer would approve that!

And that’s it! For one day we adopt a critical vision and skeptical attitude that despises the idea that “if it is on the internet must be true! “. Now I ask, why not adopt this same posture when we receive an “email from the bank” asking to revalidate your password in order to ensure your account will not be blocked? Why not acting the same way when a Word or Excel file, downloaded from a non-so-trustworthy site, asks to enable macros? Why, as Bruce Schneier used to say, does the user has to pick dancing pigs over security every time? With the attitude April fool’s approach this we can change that!

Good information security depends on PEOPLE, processes and technologies, most of you have heard time after time that “people are the weakest link”. Unfortunately, this statement has remained a mercilessly truth during the last couple of decades, with very little sign of improvement. What is the point of acquiring top security solutions, without implementing sound processes and having employees trained and fully aware of their security responsibilities?

At the end of the day, when it comes to people, what we really need is to ensure is the balance of knowledge, skills and attitudes. Again, if replicated all year long, this skeptical attitude we use during Aprils fool’s would have a spectacular result against threats that has been causing nightmares to security professionals: From any form of social engineering, phishing, spear-phishing, ransomware infections and most other forms malicious codes, the list is extremely large.

May April fools’ last year long! It is my most sincere and humble wish!



ISO: Download over 600 Standards for free! (No, it is not piracy!)

A few days ago I reposted an old article on how to get a legit copy of ISO 27000 free of charge. Well, in truth, there are several other

How about downloading over 600 ISO standards free of charge? No subscription, no paywall, no strings attached! Simply over 600 Freely Available ISO Standards!

that that you can download and put to good use!

The complete list includes OVER 600 STANDARDS. Obliviously some may be quite outdated (like the ones from 1988!), but I was surprised to find out very recent publications on relevant topics such as ITInformation SecurityCloud Computing, and IT Service Management:

  • ISO/IEC 2382:2015 Information technology — Vocabulary
  • ISO/IEC 2382-37:2017 (E) Information technology — Vocabulary — Part 37: Biometrics
  • ISO/IEC 17788:2014 Information technology — Cloud computing — Overview and vocabulary
  • ISO/IEC 17789:2014 Information technology — Cloud computing — Reference architecture
  • ISO/IEC 19395:2015 Information technology — Sustainability for and by information technology — Smart data centre resource monitoring and control
  • ISO/IEC 19678:2015 Information Technology — BIOS Protection Guidelines
  • ISO/IEC TR 20000-10:2015 Information technology — Service management — Part 10: Concepts and terminology
  • ISO/IEC TR 20000-11:2015 Information technology — Service management — Part 11: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: ITIL
  • ISO/IEC TR 20000-12:2016 Information technology — Service management — Part 12: Guidance on the relationship between ISO/IEC 20000-1:2011 and service management frameworks: CMMI-SVC
  • ISO/IEC 27036-1:2014 Information technology — Security techniques — Information securityfor supplier relationships — Part 1: Overview and concepts
  • ISO/IEC 27000:2016(E) Information technology — Security techniques — Information security management systems — Overview and vocabulary

For the complete list, follow this link:



Cybersecurity excellence builder: A free download from NIST

KNOWING IS HALF THE BATTLE. I never expected a cliché quote from my Saturday morning childhood cartoons (Yo Joe!) to be a solid recommendation that I use on a day-to-day basis. This advice is particularly true whenever dealing with strategic disciplines such as cybersecurity, risk management, IT service management, corporate governance or business continuity. Yet, the absence of structured information is one of the most usual concerns for organizations.


So, what is the excuse? In terms of good practices / standards there are more than enough publications that can be used by most organizations ensure a great/practical benefit for business.

For instance, COBIT 5 is one of the most reliable frameworks for measuring information security maturity/capabilities. Putting COBIT DSS05 (Manage Security Services) process to practice is one of the most effective ways to enable business in achieving an adequate data protection level.



Cobit 5 – Enabling processes – DSS05 RACI Chart

Aside from time-tested solutions, a new and free publication recently captured my attention. If you want a quick look at your cybersecurity maturity level, NIST’s Baldrige Cybersecurity Excellence Builder is a great self-test tool.

The current draft version was published by the National Institute of Standards and Technology (NIST) last September, and even as a draft, it has a simple yet very pragmatic approach. The whole idea is enabling organizations to better understand the effectiveness of their cybersecurity risk management efforts. It helps leaders of organizations identify opportunities for improvement based on their cybersecurity needs and objectives, as well as their larger organizational needs, objectives, and outcomes.

Using the self-assessment it is possible to:

  • determine cybersecurity-related activities that are important to your business strategy and critical service delivery;
  • prioritize your investments in managing cybersecurity risk;
  • determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities;
  • assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices;
  • assess the cybersecurity results you achieve;
  • identify priorities for improvement.

The publication is straightforward, with easy to follow practices. Just one word of advice: as with any self-test, it is necessary to have some basic understanding on the evaluated topic, so someone with a reasonable cybersecurity experience should validate any results in order to avoid any misinterpretation or errors.


As mentioned before, the Baldrige Cybersecurity Excellence Builder is a free publication, and it can be downloaded HERE (warning: PDF).





ISACA CISM: Why you should do it and how to pass the certification exam!

ISACA CISM: Why you should do it and how to pass the certification exam!

The current state of cybersecurity is quite simple: each day presents a new set of threats/vulnerabilities. Business have discovered – the hard way – the costs of not investing in an experienced InfoSec Team, and certifications such as ISACA’s CISM, Certified Information Security Professional.

This new perspective has been gradually changing the information security market, and papers like ISACA’s State of Cybersecurity: Implications for 2015 show that cybersecurity in general has been getting more support from upper management (really?) and bigger budgets (R U SERIOUS?). Paradoxically, there is a huge cybersecurity skill crisis, experienced professionals are short on the market.


ISACA – 2014

I agree that experience is something you only get on the field, but there are countless options in terms of professional certifications that should make you stand out in the infosec crowd. Personally, I always invested my time and resources on vendor free certifications, mostly from internationally recognized institutions like, ISC², EXIN e APMG. The results have been much better than I expected.


Source: ISACA

ISACA’s CISM, Certified Information Security Professional is one such case and one of most in demand certifications of 2016. Still unsure? Ok, look at this quick list of open positions that mention information security certifications:



If you already have some years of experience with information security and began thinking it is time for a managerial role, this certification is one of the best ways you could improve your resume. The exam itself may still looks a bit scary, but let me be clear: With adequate preparation and some dedication, anyone can achieve a great result on the first try.

I attended the CISM examination last June (2015), and here I share the methods and some practical tips I used for my preparation. Again, the results were excellent!

Read more



Corporate Culture: It is a great information security tool. This is why you should not overlook it.

CORPORATE CULTURE: IT IS A GREAT INFORMATION SECURITY TOOL. Culture, in general terms, can be understood as a set of ideas, habits and social behavior in a specific group. This translates into values, beliefs, ideologies, beliefs, group behavior. In a corporate environment, it is only natural that absolutely every organization has its own culture. And yes, this is one of the key factors that can define the success or failure of information security.

The fact is CULTURE EATS STRATEGY FOR BREAKFAST. The phrase, originally attributed to Peter Drucker, has never been as true as in modern organizations, especially in subjects related to Information Security and Risk Management. Corporate culture can either motivate or drain the energy of professionals. Understand: Culture is the environment where corporate strategy, even the most well defined, blooms or agonizes. Any company that tries to disconnect these two factors is creating an unnecessary risk on the way to success.


Over the past years, several companies have learned – the hard way – that neglecting information security can bring disastrous impacts on operations, brand and financial results. This scenario leads us to believe that the mindset of senior management should have evolved into a more mature approach, where security is seen as a business facilitator and incorporated into all aspects of the strategy and transmitted in corporate culture, right? Yeah, dream on.

Read more