DiscoverCybersecurity Where You Are
Cybersecurity Where You Are
Claim Ownership

Cybersecurity Where You Are

Author: Center for Internet Security

Subscribed: 6Played: 12


Cybersecurity affects us all whether we are at home, managing a company, supporting clients, or even running a state or local government. Join the Center for Internet Security’s Sean Atkinson and Tony Sager as they discuss trends and threats, ways to implement controls and infrastructure, explore best practices, and interview experts in the industry. If you are interested in learning more about how to grow your cybersecurity program, CIS and its volunteer community are here to bring clarity to these complex issues to bring Confidence in a Connected World.
9 Episodes
Resources:Visit the CIS WebsiteHighlights:The importance of information security governanceSecurity vs. complianceData – determining what you need and where to find itUnderstanding risk from a decision-basisCritical elements to fulfill business requirementsProducing value in a compliance programApplying agility for continuous improvementGood compliance = good securitySecurity is the practice of implementing effective technical controls to protect an organization’s digital assets. Compliance, on the other hand, is the application of that practice to meet regulatory or contractual requirements. Unfortunately, more often than not, organizations focus on compliance once a year when it’s time to certify that their “security is good.” The process of being compliant and secure should be a continuous process.
Resources:Visit the CIS WebsiteDownload the CIS Controls v8Download CIS Controls v8 Change LogJoin a CIS Controls CommunityHighlights:Everything has to be measurableEverything has to be achievableCIS Controls v8 must have a peaceful coexistence with cybersecurity frameworksThe Controls need to be backed by data and able to defend against real-world threatsFirst Impressions MatterThe CIS Controls team and volunteers pretty much rewrote every word of v8 in an effort to modernize and consolidate the document. CIS Controls v8 is a lot more focused and less redundant than previous versions. Find out what people are saying about this new Version!Feedback: Request, Manage, Gather, & Use for the Greater GoodOrganizations big and small rely on the CIS Controls to defend against the most prevalent cyber-attacks against systems and networks. And, they count on the Controls team to do the best job they can for the greater good of the cybersecurity community.
Resources:What are the CIS ControlsLearn more about CIS Controls v8Free Webinar | May 18, 2021: Sign up to hear about all the changes to the CIS ControlsFrequently Asked QuestionsIn this edition of Cybersecurity Where You Are, host and CIS Senior Vice President and Chief Evangelist, Tony Sager welcomes guests Randy Marchany and Phyllis Lee. Marchany is the Chief Information Security Officer (CISO) at Virginia Tech, and Lee serves as Senior Director of the CIS Controls. The connection between the two guests is the CIS Controls – a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks.Highlights:History of the CIS ControlsGuiding principles for CIS Controls v8CIS Controls ecosystemPractical implications for the Controls and real-world applicationsCIS Controls life cycleRemember to subscribe to get the latest cybersecurity news and updates to Start Secure and Stay Secure.
Resources:EI-ISACElections Security Tools & Resources#PROTECT2020In this edition of Cybersecurity Where You Are, host and CISO at the Center for Internet Security (CIS), Sean Atkinson welcomes guests Geoff Hale and Lew Robinson. Hale leads the Election Security Initiative at the Cybersecurity and Infrastructure Security Agency (CISA), while Robinson serves as CIS Vice President of Election Operations. Both agencies and both men, respectively, played a big role in the success of the 2020 General Election, which has been deemed the most secure election in American history.Highlights:Elections...A Critical InfrastructureStrong Partnerships Make for Strong Collaborative EffortsTechnical and physical controls that contributed to the 2020 General Election being the most secure election in historySteps taken to enhance communications and provide threat intelligence to state and local entitiesCollaborative process to provide stakeholder input to influence the approach to election securityStrategies and techniques used to manage mis- and disinformationEfforts made to assist state and local election offices with best practice guidanceLessons learned from the 2020 General ElectionRemember to subscribe to get the latest cybersecurity news and updates to Start Secure and Stay Secure.
Part 2 of a 2-part seriesResources:Listen to Part 1CIS websiteCIS SecureSuite Tools and ResourcesCIS BenchmarksCIS Controls (v8 coming Spring 2021)CIS CSAT (CIS Controls Self Assessment Tool)Community Defense Model (v2 coming Spring 2021)In this week’s Cybersecurity Where You Are podcast, hosts Tony Sager and Sean Atkinson continue their conversation on cyber defense as a risk-based process. They discuss the actions and resources that help build and implement “defensive machinery” that support an organization’s current cyber defense plan and help it mature.Highlights:A CISO’s First 90 daysThe Importance of a Strong FoundationKnowing Your LineageMapping to Regulatory FrameworksTools: From Spreadsheets to CIS CSATSharing with the GroupRemember to subscribe to get the latest cybersecurity news and updates to Start Secure and Stay Secure.
Episode Resources:Blog: Assess, Remediate, and Implement with CIS SecureSuite: Free Webinar: CIS Benchmarks and CIS-CAT Pro Tool Demo: Part 1 of a 2-part seriesTechnology is ever-changing AND ever-evolving, creating an uncertainty amongst cybersecurity professionals – the defenders – in their pursuit of an effective cyber defense strategy. The uncertainty of the defender can justifiably be attributed to the uncertainty of the attacker. In this week’s Cybersecurity Where You Are podcast, hosts Tony Sager and Sean Atkinson introduce cyber defense as a risk-based process to reduce the overall probability and impact that a cyber-attack will have on an organization.Cyber defense never endsCyber defense refers to the ability to prevent cyber-attacks from infecting a computer system or device; it involves anticipating adversarial cyber actions and countering intrusions. There’s no “one-size-fits-all” when it comes to cyber defense protocol or strategy. However, a good cyber defense strategy should aim to protect, prevent, detect, respond to, and recover from external and internal attacks. As technology expands, the complexity of cyber-attacks also evolves, forcing cyber defense initiatives and defenders of such, to do whatever they can to keep up.OODA loop processThe OODA (Observe, Orient, Decide, Act) loop is a repetitive four-step decision-making process that focuses on gathering information, putting that information into context, making the most appropriate decision while also understanding that changes can be made as more data becomes available, and then taking action. The OODA loop is especially applicable to cybersecurity and cyber defense where agility and repetition (by the defender) potentially overcomes that of the attacker.Fog of MoreWhile cyber defense is an abstract model, cybersecurity defenders have to actually do concrete things. It initially comes down to having a plan in place and asking the right questions: What data do we have? Where is it? What do we do with it?Asking the right questions (for clarity) eliminates the Fog of More (coined by Tony Sager, of all people) – the overload of defensive support (i.e., more options, more tools, more knowledge, more advice, and more requirements, but not always more security).An effective cyber defense program requires defenders to gather information and data, put that data into context, make decisions, take action, and then REPEAT, REPEAT, REPEAT.
Resources:Find us at Risk Association: National Institute of Standards and Technology (NIST): Controls: a risk assessment questionnaire be the catalyst for true change to the entire vendor cybersecurity ecosystem? Cybersecurity Where You Are podcast host Sean Atkinson welcomes guest Ryan Spelman, former CIS employee, and now Managing Director at Duff & Phelps on their CYBERCLARITY360 team. Together, Sean and Ryan discuss tactics companies can use to better understand their cyber-risk posture and how stronger relationships between companies and their third parties impact the industry as a whole.Better use of the third-party risk assessment questionnaireThe go-to “third-party risk assessment questionnaire” being used as a one-and-done exercise is an all too common practice. While completing these questionnaires meets certain regulatory requirements, truly managing risk is about acting on the data collected - not just collecting it.There is a misconception that the questionnaire is for general information collection and that the same questions can apply to all vendors. Some questions, such as those about overseas relations or services, may be applicable to all vendors. But to more accurately assess a third party’s risk it is important to customize the questions to match the vendor's use case and scope. This episode shares how an organization can start drafting these inquiries. Once the questionnaire is crafted, completed, and returned, a plan should also be in place for how to address the issues that arise from the submitted answers.Beyond the questionnaire – communication is keyThe issue of third-party management rests in the hands of both the company and the vendor. Clear, accurate, and truthful communication between both parties makes both entities ultimately stronger.Building a stronger security ecosystem This is an “area where the common good can happen,” says Ryan. If a company can make the third party’s security posture better, then everyone else who uses this third party is made better. It ultimately makes a measurable difference in the entire vendor ecosystem.The Atkinson 9In the vein of another famous interviewer, Sean asked Ryan his “Atkinson 9,” a quick Q&A about security. Listen now to find out what our guest said!
ResourcesFind us at 2021 Cybersecurity Trends to Prepare For: Blog: Where Does Zero Trust Begin and Why is it Important?: CIS Controls: Cybercrime Support Network (CSN: 2020 was considered “the year like no other”. The industry saw a mass convergence of social issues with cyber issues due to the pandemic, the elections, and the SolarWinds supply chain issue. Cybersecurity resilience was tested and it was crucial that the industry adapt quickly.With the onset of the COVID-19 pandemic in March of 2020 many organizations went fully remote, including CIS. CIS had to be agile and the cybersecurity industry had to adapt to new challenges with a growing remote workforce.The TrendsRisk management strategies such as ways to identify gaps, how to best implement the CIS Controls, data management, and privacy requirements were the foundations for crisis management. Ransomware is here to stay as a top cyber threat. It moved from the lone hacker to a capitalist business structure where the software just needs to be purchased and used as opposed to needing to build it yourself. Zero Trust: Sean uses the analogy of “the castle and the moat”. Today the drawbridge is always open and things are going in and out without the ability to monitor it all. Zero Trust is setting the new tone for security practices. What the Future (May) HoldSmall Businesses need support: The weight of responsibility to small businesses to accommodate the assessment evaluations for risk management is a huge burden. A Diminishing Cyber Workforce: There is a growing concern about the shortage of cybersecurity professionals. The Role of Government: With the change in government, like we have in 2021, there is a change in the way government thinks about priorities.
Co-hosts Sean Atkinson and Tony Sager welcome you to the CIS podcast Cybersecurity Where you Are.This episode gives you an overview of what the Center for Internet Security is, how the co-hosts grew with the industry, and the importance of basic cyber hygiene. Find us at Check out the CIS Controls: Learn more about Basic Cyber Hygiene: The Center for Internet Security is a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards to proactively safeguard against emerging threats. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the rapidly changing cybersecurity needs of U.S. elections offices.Meet co-host Tony Sager - Tony has over 43 years of experience in the industry most of which was with the National Security Agency (NSA). With a background as a mathematician, he worked at the NSA in the Communications Security Interim Program focusing on the security of U.S. systems. He worked mostly on cryptography and confidentiality in the interest of the country’s defense. He then moved to Computer Science when computers began to move from large systems in buildings to at home workstations (do you remember the Apple2+?). Tony witnessed the transition of cybersecurity from mathematics to information and communications and found himself in great company helping to develop CIS over the passed 20 years. Meet co-host Sean Atkinson – Sean lived in England for about 20 years before moving back to the U.S. His background was not actually in computer science but carried an MBA in Business but with a concentration in Technology Management. He credit the book “A Business Data Networks and Telecommunications” by Raymond Panko for getting him into Network and Technology Specialization. He then worked as a IT Auditor and in 2004 found himself working on Section 404 projects. He then worked in State Government moving his way up to security Manager implementing PeopleSoft when adding security to the software lifecycle was in its infancy. He then moved to the Dept of Defense and now has worked with CIS as CISO to frame best practices and implementation.Basic Cyber Hygiene - We know cybersecurity is an issue for any business, but where do you start? By looking at your data, networks, and systems from a risk perspective you can then implement means to protect it. There are foundational best practices that everyone can do and should do. Tony and Sean will touch on the CIS Controls – the prioritized set of actions to protect your organization and data from known cyberattack vectors – and what actions to take first.
Download from Google Play
Download from App Store