Cybersecurity excellence builder: A free download from NIST

KNOWING IS HALF THE BATTLE. I never expected a cliché quote from my Saturday morning childhood cartoons (Yo Joe!) to be a solid recommendation that I use on a day-to-day basis. This advice is particularly true whenever dealing with strategic disciplines such as cybersecurity, risk management, IT service management, corporate governance or business continuity. Yet, the absence of structured information is one of the most usual concerns for organizations.

yojoe

So, what is the excuse? In terms of good practices / standards there are more than enough publications that can be used by most organizations ensure a great/practical benefit for business.

For instance, COBIT 5 is one of the most reliable frameworks for measuring information security maturity/capabilities. Putting COBIT DSS05 (Manage Security Services) process to practice is one of the most effective ways to enable business in achieving an adequate data protection level.

raci

 

Cobit 5 – Enabling processes – DSS05 RACI Chart

Aside from time-tested solutions, a new and free publication recently captured my attention. If you want a quick look at your cybersecurity maturity level, NIST’s Baldrige Cybersecurity Excellence Builder is a great self-test tool.

The current draft version was published by the National Institute of Standards and Technology (NIST) last September, and even as a draft, it has a simple yet very pragmatic approach. The whole idea is enabling organizations to better understand the effectiveness of their cybersecurity risk management efforts. It helps leaders of organizations identify opportunities for improvement based on their cybersecurity needs and objectives, as well as their larger organizational needs, objectives, and outcomes.

Using the self-assessment it is possible to:

  • determine cybersecurity-related activities that are important to your business strategy and critical service delivery;
  • prioritize your investments in managing cybersecurity risk;
  • determine how best to enable your workforce, customers, suppliers, partners, and collaborators to be risk conscious and security aware, and to fulfill their cybersecurity roles and responsibilities;
  • assess the effectiveness and efficiency of your use of cybersecurity standards, guidelines, and practices;
  • assess the cybersecurity results you achieve;
  • identify priorities for improvement.

The publication is straightforward, with easy to follow practices. Just one word of advice: as with any self-test, it is necessary to have some basic understanding on the evaluated topic, so someone with a reasonable cybersecurity experience should validate any results in order to avoid any misinterpretation or errors.

nist-cybersec

As mentioned before, the Baldrige Cybersecurity Excellence Builder is a free publication, and it can be downloaded HERE (warning: PDF).

Source:

https://www.nist.gov/news-events/news/2016/09/nist-releases-baldrige-based-tool-cybersecurity-excellence

 

ISACA CISM: Why you should do it and how to pass the certification exam!

ISACA CISM: Why you should do it and how to pass the certification exam!

The current state of cybersecurity is quite simple: each day presents a new set of threats/vulnerabilities. Business have discovered – the hard way – the costs of not investing in an experienced InfoSec Team, and certifications such as ISACA’s CISM, Certified Information Security Professional.

This new perspective has been gradually changing the information security market, and papers like ISACA’s State of Cybersecurity: Implications for 2015 show that cybersecurity in general has been getting more support from upper management (really?) and bigger budgets (R U SERIOUS?). Paradoxically, there is a huge cybersecurity skill crisis, experienced professionals are short on the market.

cyberrsecurity-skill-crisis

ISACA – 2014

I agree that experience is something you only get on the field, but there are countless options in terms of professional certifications that should make you stand out in the infosec crowd. Personally, I always invested my time and resources on vendor free certifications, mostly from internationally recognized institutions like, ISC², EXIN e APMG. The results have been much better than I expected.

isaca-career-oportunities

Source: ISACA

ISACA’s CISM, Certified Information Security Professional is one such case and one of most in demand certifications of 2016. Still unsure? Ok, look at this quick list of open positions that mention information security certifications:

certification-numbers

Source: http://www.tomsitpro.com/articles/information-security-certifications,2-205.html

If you already have some years of experience with information security and began thinking it is time for a managerial role, this certification is one of the best ways you could improve your resume. The exam itself may still looks a bit scary, but let me be clear: With adequate preparation and some dedication, anyone can achieve a great result on the first try.

I attended the CISM examination last June (2015), and here I share the methods and some practical tips I used for my preparation. Again, the results were excellent!

Read more

Corporate Culture: It is a great information security tool. This is why you should not overlook it.

CORPORATE CULTURE: IT IS A GREAT INFORMATION SECURITY TOOL. Culture, in general terms, can be understood as a set of ideas, habits and social behavior in a specific group. This translates into values, beliefs, ideologies, beliefs, group behavior. In a corporate environment, it is only natural that absolutely every organization has its own culture. And yes, this is one of the key factors that can define the success or failure of information security.

The fact is CULTURE EATS STRATEGY FOR BREAKFAST. The phrase, originally attributed to Peter Drucker, has never been as true as in modern organizations, especially in subjects related to Information Security and Risk Management. Corporate culture can either motivate or drain the energy of professionals. Understand: Culture is the environment where corporate strategy, even the most well defined, blooms or agonizes. Any company that tries to disconnect these two factors is creating an unnecessary risk on the way to success.

peter01

Over the past years, several companies have learned – the hard way – that neglecting information security can bring disastrous impacts on operations, brand and financial results. This scenario leads us to believe that the mindset of senior management should have evolved into a more mature approach, where security is seen as a business facilitator and incorporated into all aspects of the strategy and transmitted in corporate culture, right? Yeah, dream on.

Read more

ISO 27000 – free and legal download!

IF YOU ARE AN INFOSEC PROFESSIONAL, STUDENT OR HAVE ANY INTEREST ON THE SUBJECT you are very likely to have heard about ISO/IEC 27001: 2013. What you may not know is that the 27K family is much, much bigger.

Currently there are 16 publications dedicated to the implementation and operation of an ISMS (Information Security Management System) aligned to international standards, and suitable for business of all sizes and verticals. According to the Brazilian National Information Security Survey, which I published last year, more and more Brazilian companies have been investing and adopting the standard.

Read more

ISO 27001: 2013 – What really changed with the updated version of the key information security norm?

2013 was a year with no shortage on news about hacker attacks, data leaks, digital espionage, privacy issues (hi Obama!) and the result is that Information Security is now – more than ever – into the spotlight.

In this context comes the revised version of ISO 27001, the international standard that, for more than a decade, has been one of the main references for managing Information Security. A series of questions may come into the minds of IS professionals: What does really change? Is the standard more effective?

Of course, professionals in charge of ISMS management are imagining the amount of new controls and documents required to obtain/maintain certification.

So, let’s check it out!

Read more