Despite years of security awareness training, almost half of organizations say their employees would ... [+]..SHUTTERSTOCK
With the rapid advancements of generative AI and evolving threat landscape, the job of cybersecurity has never been harder, and the pressure to protect organizations has never been greater. With the likelihood of a breach being a matter of when, not if, preparedness is top of mind for Boards. But there is a more pressing question:
How do we really know our teams are prepared for the next attack? Organizations have poured hundreds of thousands of dollars into traditional training techniques – is it working? In short: no… At a time when preparedness is so vital, organizations have, ironically, never been less prepared. According to the Cyber Workforce Resilience Trend Report, despite years of security awareness training, almost half of organizations say their employees would fall victim to a phishing email.
Certifications are proving to be ineffective: Although almost all (96%) organizations encourage IT and cybersecurity teams to gain industry certifications, only 32% of respondents agree that industry certifications are effective. The truth, as painful as it might be, is that traditional cyber training and industry certifications are failing organizations and their leaders……Continue reading….
By: James Hadley
James Hadley founded Immersive Labs in 2017 to help organizations build confidence in the cyber knowledge, skills and judgment of their entire
Source: Cyber Certifications Have Failed. How to Build and Prove Cyber Skills
Critics:
ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard, of which the last revision was published in October 2022 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – Information security management systems – Requirements.
ISO/IEC 27001 formally specifies a management system intended to bring information security under explicit management control. ISO/IEC 27002 incorporates part 1 of the BS 7799 good security management practice standard. The latest version of BS 7799 is BS 7799-3. Sometimes ISO/IEC 27002 is therefore referred to as ISO 17799 or BS 7799 part 1 and, sometimes it refers to part 1 and part 7.
BS 7799 part 1 provides an outline or good practice guide for cybersecurity management; whereas BS 7799 part 2 and ISO/IEC 27001 are normative and therefore provide a framework for certification. ISO/IEC 27002 is a high-level guide to cybersecurity. It is most beneficial as explanatory guidance for the management of an organization to obtain certification to the ISO/IEC 27001 standard.
The certification once obtained lasts three years. Depending on the auditing organisation, no or some intermediate audits may be carried out during the three years. ISO/IEC 27001 (ISMS) replaces BS 7799 part 2, but since it is backwards compatible any organization working toward BS 7799 part 2 can easily transition to the ISO/IEC 27001 certification process. There is also a transitional audit available to make it easier once an organization is BS 7799 part 2-certified for the organization to become ISO/IEC 27001-certified.
ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). It states the information security systems required to implement ISO/IEC 27002 control objectives. Without ISO/IEC 27001, ISO/IEC 27002 control objectives are ineffective. ISO/IEC 27002 controls objectives are incorporated into ISO 27001 in Annex A.
ISO/IEC 21827 (SSE-CMM – ISO/IEC 21827) is an International Standard based on the Systems Security Engineering Capability Maturity Model (SSE-CMM) that can measure the maturity of ISO controls objectives.
The NIST Cybersecurity Framework (NIST CSF) “provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.” It is intended to help private sector organizations that provide critical infrastructure with guidance on how to protect it, along with relevant protections for privacy and civil liberties.
Special publication 800-12 provides a broad overview of computer security and control areas. It also emphasizes the importance of security controls and ways to implement them. Initially, this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically, it was written for those people in the federal government responsible for handling sensitive systems.
Special publication 800-14 describes common security principles that are used. It provides a high-level description of what should be incorporated within a computer security policy. It describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within this document.
Special publication 800-26 provides advice on how to manage IT security. Superseded by NIST SP 800-53 rev3. This document emphasizes the importance of self-assessments as well as risk assessments.Special publication 800-37, updated in 2010 provides a new risk approach: “Guide for Applying the Risk Management Framework to Federal Information Systems”
Special publication 800-53 rev4, “Security and Privacy Controls for Federal Information Systems and Organizations”, Published April 2013 updated to include updates as of January 15, 2014, specifically addresses the 194 security controls that are applied to a system to make it “more secure”.
Special publication 800-63-3, “Digital Identity Guidelines”, Published June 2017 updated to include updates as of December 1, 2017, provides guidelines for implementing digital identity services, including identity proofing, registration, and authentication of users.
Special Publication 800-82, Revision 2, “Guide to Industrial Control System (ICS) Security”, revised May 2015, describes how to secure multiple types of Industrial Control Systems against cyber-attacks while considering the performance, reliability and safety requirements specific to ICS.
Related contents:
- “Guidelines for Smart Grid Cyber Security”. National Institute of Standards and Technology.
- “ITU-T Recommendation database”.
- “FSI – Consortium for Research on Information Security and Policy”.
- “NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds”.
- Tallinn, Hacking, and Customary International Law”.
- Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web”.
- Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web”.
- ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering
- “UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll-out of connected vehicles | UNECE”.
- ETSI announcement
- ETSI EN 303 645 V2.1.0
- “ETSI TS 103 701 Cyber Security for Consumer Internet of Things: Conformance Assessment of Baseline Requirements”
- Symantec Control Compliance Suite – NERC and FERC Regulation Archived
- “NIST Cybersecurity Framework”.
- “Essential Eight Maturity Model”.
- BSI – IT-Grundschutz”.
Marketing Programs You May Like:
