9 in 10 organizations embraced zero-trust, CSO

Archive for the ‘News’ Category

9 in 10 organizations embraced zero-trust, CSO

Posted by

Nearly 90% organizations have begun embracing zero-trust security, but many still have a long way to go, according to a report by multinational technology company Cisco. “The more organizations know about zero trust, the less they feel competent in zero trust,” Goerlich adds. “The more they learn, the more they realize they need to go further.”

Excerpt from 9 in 10 organizations have embraced zero-trust security globally.

“What often happens to security concepts that begin as buzzwords and capture momentum is they fade off into business as usual,” Goerlich says. “What we’re seeing is people no longer asking, ‘Are you doing zero trust?’ It’s, ‘Are you securing this new line of business? Are you securing our mergers and acquisitions? Are you protecting us against ransomware? Are you enabling the business to keep up to changing market demands and changes in the threat landscape?”

“Now that we have the outcomes identified,” Goerlich continues, “we can apply the appropriate technologies and appropriate pillars to achieve those outcomes. What we’re going to continue to see is zero-trust principles becoming fundamental security principles. As we move forward, good security is good security, and good security will include some of these zero-trust principles baked into every layer.”

Read the full article: https://www.csoonline.com/article/1249027/9-in-10-organizations-have-embraced-zero-trust-security-globally.html

 


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

 

Investments in cybersecurity initiatives, Spiceworks

Posted by

“Good security first delivers a business outcome and then, and only then, as a result, increases security,” noted J. Wolfgang Goerlich, advisory CISO at Cisco Secure.

Excerpt from In the Line of Fire: Understanding and Conquering Cybersecurity Risks

The benefits of adopting zero trust go beyond its drivers. Through zero trust, organizations not only avoid risk (and thus unnecessary costs) but also save capital through operational efficiencies and enable business.

Since implementing zero trust takes two or more years, Goerlich pointed out that organizations may not necessarily have 100% zero trust. “Today, the strongest predictor of whether or not organizations feel that they are achieving zero trust is whether or not they have automation, orchestration in place,” he said.

Aberdeen found that endpoint detection and response (EDR) and extended detection and response (XDR) are becoming mainstream as a result of zero trust thinking.

Goerlich reiterated this and added that organizations increasingly pair extended detection and response (XDR) with zero trust. “If you have a zero trust project in progress, you are 40% more likely to say, ‘I have an XDR/EDR project,’” Goerlich said. “ Because as we harden that layer, criminals are going to move. If you have end-to-end protection, where do they go? They go to the edge.”

Read the full article: https://www.spiceworks.com/it-security/cyber-risk-management/articles/cybersecurity-risk-management-zero-trust/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

A pre-mortem on Zero Trust

Posted by

Zero trust offers organizations an approach that can help to significantly improve security posture and help to minimize risk. But what would happen if, let’s say, an organization had fully implemented zero trust and yet at some point several years into the future had a breach? What would be the likely reasons?

Excerpt from: How a pre-mortem can tell you what’s wrong with Zero Trust

“Our out of scope is in scope for adversaries,” Goerlich said.

“Whenever a control reaches critical mass, the control will be bypassed,” he said. “Another way of saying that is all a better mousetrap does is breed better mice.”

He suggests that organizations deploying zero trust today, look at their roadmaps and make sure they have plans to sustain support, interest and engagement for years to come. Goerlich also recommends that zero trust implementers shore up out-of-scope areas to help reduce the attack surface.

Read the full article: https://www.sdxcentral.com/articles/analysis/how-a-pre-mortem-can-tell-you-whats-wrong-with-zero-trust/2023/04/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Cybersecurity Maturity Model Certification (CMMC): considerations for self-attesting

Posted by

Suppliers who need to achieve Level 1, the most basic certification, may forgo seeking outside help and perform initial and annual assessments themselves.

Excerpt from: Navigating Cybersecurity Maturity Model Certification (CMMC) 2.0

“Suppliers with strong confidence in their audit and compliance teams, and suppliers with sufficient staffing, are ideally positioned should they decide to achieve Level 1 without external support,” added Wolfgang Goerlich, advisory chief information security officer, Cisco Secure, the portfolio of security products offered by San Francisco-based Cisco. “Such internal compliance initiatives can move quicker than bringing in a third-party when the people on the team have the relationships and understanding of how the practices are performed.”

The approach Goerlich describes may save money, but it won’t provide external validation and new perspectives.

“Achieving Level 1 with an internal project team answers the question, ‘What are we doing?’ but cannot answer the questions, ‘What are others doing, and what should we be doing?’” Goerlich said.

Read the full article: https://www.sme.org/technologies/articles/2023/february/navigating-cybersecurity-maturity-model-certification-cmmc-2.0/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Cybersecurity resolutions for consumers

Posted by

I participated in a Satellite Media Tour to share cybersecurity resolutions for consumers to keep in mind heading into 2023. Resolve to secure your accounts, resolve to protect your toys and tech, and resolve to protect your privacy. These interviews saw more than 300+ airings, including Washington, D.C.’s WJLA, Jackson, Tennessee’s WBBJ-TV, Tampa Bay, Florida’s WFTS, Jacksonville, Florida’s WTLV-TV, Austin, Texas’ KEYE. Here’s the one from South Florida’s WSFL-TV, to give a flavor of the conversation.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

 

Tech trends for 2023

Posted by

Identity and access management solutions continue a hot streak for their capacity to improve operations.

Excerpt from: Tech Trends: Governments Express High Interest in IAM

At the Virginia Department of Transportation, a ransomware hack targeting the state’s traffic management system made it clear that it was time to beef up VPN security. For the state of Illinois, the issue was siloed technology operations within agencies that made it difficult for employees and residents to access tools and services.

The challenge for the city and county of Denver was what the government’s chief data officer described as multifactor authentication “sprawl.”

While each organization had to deal with its own problems, their IT teams all came to the same conclusion: They had to do better with identity and access management.

“I’ve never seen so much interest in this topic,” says Wolfgang Goerlich, Cisco’s advisory CISO for Duo, an identity and access management platform that both Denver and VDOT now rely on for protection from cyberthreats. “The big picture is that zero trust has become a mandate at multiple levels, and agencies are turning to identity and access management as one of the quickest paths to success.”

Read the full article: https://statetechmagazine.com/article/2022/12/tech-trends-governments-express-high-interest-iam


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Cisco Rolls Out Duo Passwordless Authentication, Sees WebAuthn Usage Surge

Posted by

Excerpt from: Cisco Rolls Out Duo Passwordless Authentication, Sees WebAuthn Usage Surge

Cisco plans to roll out its Duo Passwordless Authentication globally next Wednesday. This push is in line with the findings from Duo Security’s recent report which showed that passwordless adoption continues to climb.

“We’re starting to reach a tipping point where the hardware is ubiquitous, the standards are in place, and enough services support the standards, and that’s really driving that increase that we see in web authentications. So now … organizations can adopt them with confidence,” Goerlich said.

Read the full article: https://www.sdxcentral.com/articles/news/cisco-rolls-out-duo-passwordless-authentication-sees-webauthn-usage-surge/2022/11/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

On men named Wolf

Posted by

A bit of fun…

MEL interviewed Men named Wolf on the Kardashians dragging their good name through the mud. After Kylie Jenner and Travis Scott announced they were changing their baby’s name to something more fitting than ‘Wolf,’ other Wolfs — Wolves? — started howling.

Excerpt:

Goerlich: I think you need to grow into being “Wolf.” You’ve got to be a little bit scruffy, a little bit older, a little bit worn around the edges. Maybe there’s a chunk taken out of your ear — you’ve got to look like a fighter. You’re not going to look like that when you’re young, so I can see why they said, “He doesn’t look like a ‘Wolf’ yet.” But give the kid time. He’ll get there.

Read the full article: https://melmagazine.com/en-us/story/wolf-kylie-jenner-travis-scott-baby-name


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Steps to take when there’s an active adversary

Posted by

CISOs know they must respond quickly and effectively to an incident, yet surveys point to continuing challenges to deliver on that goal. These steps will help you respond quickly, without letting a crisis turn into chaos.

Excerpt from: 12 steps to take when there’s an active adversary on your network

3. Bring in the business

CISOs should be looping in business during the triage process, security leaders say, a point that’s often overlooked during active responses. As part of this, security teams need to immediately identify what impacted components are critical for conducting business, who owns those components and who controls them.

As J. Wolfgang Goerlich, advisory CISO with Cisco Secure, says: “This is a business problem. But in a security breach, a very technical person will be thinking, ‘I have to remediate.’ However, one of the things that CISOs need to remember is that a breach is a business problem not a technical problem. So there should be a secondary process that’s running business continuity and disaster recovery so that the business can keep doing what it needs to be doing.”

12. Stay calm; tend to staff needs

Goerlich says he has seen teams “run themselves into the ground” by working long hours without breaks and even a day or more without sleep. Although that grueling schedule shows a level of dedication, it’s likely to lead to mistakes.

“People get into their zones and work well beyond the times that they should,” Goerlich says, noting that CISOs should plan for clear lines of communications, caps for work hours, staggered schedules, and post-event time off. He adds: “As much as possible, organizations should think out in advance how to handle the human elements.”

Read the full article: https://www.csoonline.com/article/3645690/12-steps-to-take-when-there-s-an-active-adversary-on-your-network.html


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Adoption of hardware-based security keys

Posted by

Google last week revealed that it was coordinating efforts with global partners to hand out free USB security keys to 10,000 elected officials, political campaign workers, human rights activists and journalists, and other users considered to be at high risk of getting hacked.

Excerpt from: Tech giants encouraging adoption of hardware-based auth keys

“Whenever a major organization makes a major announcement bolstering their security controls, it sparks conversation and movement in the broader industry,” agreed Wolfgang Goerlich, advisory CISO at Cisco Secure. “Google’s announcement that it is enrolling 10,000 people in authenticating with strong security keys will make it easier to explain a similar need in other organizations.”

And this isn’t the first such corporate endorsement of hardware-based authentication. Among the companies using FIDO’s standards for Universal 2nd Factor (U2F) authentication keys is Yubico, which like Google has been working with DDC to provide its hardware-based authentication keys to campaigns from both major parties.

Read the full article: https://www.scmagazine.com/analysis/physical-security/tech-giants-encouraging-adoption-of-hardware-based-auth-keys


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.