Volume 3 | Issue 4 | April 2019

CISO MAG | April 2019 CISO MAG | April 2019

Volume 3 I ssue 4

32

Volume 3 I ssue 4

倀刀伀嘀䤀匀䔀 䘀伀刀 夀伀唀倀爀漀嘀椀猀攀 椀猀 愀渀 䤀渀搀攀瀀攀渀搀攀渀琀Ⰰ 瀀爀漀搀甀挀琀 愀最渀漀猀琀椀挀 爀攀猀攀愀爀挀栀 搀爀椀瘀攀渀 䄀搀瘀椀猀漀爀礀 ǻ爀洀 猀瀀攀挀椀愀氀椀稀椀渀最 椀渀 䜀刀䌀 愀渀搀 䌀礀戀攀爀 匀攀挀甀爀椀琀礀 倀爀漀昀攀猀猀椀漀渀愀氀 匀攀爀瘀椀挀攀猀⸀ 

圀栀愀琀 猀琀愀爀琀攀搀 眀椀琀栀 琀眀漀 瀀攀漀瀀氀攀 椀渀 ㈀　 椀猀 渀漀眀 愀渀 攀渀琀椀琀礀 猀瀀愀渀渀椀渀最 愀挀爀漀猀猀 爀攀最椀漀渀猀 眀椀琀栀 愀 最氀漀戀愀氀 瀀漀爀琀昀漀氀椀漀 漀昀 氀攀愀搀椀渀最 挀甀猀琀漀洀攀爀猀⸀

匀椀渀挀攀 椀琀猀 椀渀挀攀瀀琀椀漀渀 椀渀 ㈀　Ⰰ 倀爀漀瘀椀猀攀 栀愀猀 攀砀瀀愀渀搀攀搀 椀琀猀 昀漀漀琀瀀爀椀渀琀 椀渀 㜀 挀漀甀渀琀爀椀攀猀 愀渀搀 栀愀猀 愀爀漀甀渀搀 㜀㔀⬀ 匀甀挀挀攀猀猀昀甀氀 瀀爀漀樀攀挀琀猀 攀砀攀挀甀琀攀搀⸀

䄀猀 漀昀 琀漀搀愀礀Ⰰ 倀爀漀瘀椀猀攀 椀猀 愀 吀爀甀猀琀攀搀 挀礀戀攀爀 猀攀挀甀爀椀琀礀 瀀愀爀琀渀攀爀 椀渀 唀䄀䔀 昀漀爀 琀栀攀 䰀愀爀最攀猀琀 倀漀氀椀挀攀 䘀漀爀挀攀Ⰰ 䰀愀爀最攀猀琀 刀攀愀氀 䔀猀琀愀琀攀 䘀椀爀洀Ⰰ 䰀愀爀最攀猀琀 吀攀氀攀挀漀洀 䌀漀洀瀀愀渀礀Ⰰ䰀愀爀最攀猀琀 䔀渀琀攀爀琀愀椀渀洀攀渀琀 䤀猀氀愀渀搀 愀渀搀 猀琀爀椀瘀椀渀最 昀漀爀 洀甀挀栀 洀漀爀攀⸀

伀唀刀 䈀唀匀䤀一䔀匀匀 䰀䤀一䔀匀

吀攀挀栀渀漀氀漀最礀 䜀漀瘀攀爀渀愀渀挀攀Ⰰ 刀椀猀欀 愀渀搀䌀漀洀瀀氀椀愀渀挀攀 愀搀瘀椀猀漀爀礀 戀甀猀椀渀攀猀猀

圀䤀一一䤀一䜀 䤀匀 一伀圀 䄀 䠀䄀䈀䤀吀 䤀一 倀刀伀嘀䤀匀䔀

䤀渀搀甀猀琀爀礀 猀瀀攀挀椀昀椀挀 Ⰰ 吀栀爀攀愀琀 䌀攀渀琀爀椀挀 䌀礀戀攀爀匀攀挀甀爀椀琀礀 䄀猀猀甀爀愀渀挀攀 愀渀搀 䴀漀渀椀琀漀爀椀渀最

刀☀䐀 䤀匀 吀䠀䔀 䌀伀刀䔀 伀䘀 䄀䰀䰀 匀䔀刀嘀䤀䌀䔀匀 䄀一䐀 倀刀伀䨀䔀䌀吀匀

倀爀漀搀甀挀琀 䔀渀最椀渀攀攀爀椀渀最 愀渀搀 刀☀䐀 椀猀 氀漀挀愀琀攀搀 椀渀 䈀攀渀最愀氀甀爀甀⸀

䜀刀䌀 䌀伀䜀一䤀吀䤀嘀䔀 倀䰀䄀吀䘀伀刀䴀      䌀夀䈀䔀刀 匀䔀䌀唀刀䤀吀夀 倀䰀䄀吀䘀伀刀䴀

椀渀渀漀瘀愀琀椀漀渀 搀椀猀琀椀渀最甀椀猀栀攀猀戀攀琀眀攀攀渀 愀 氀攀愀搀攀爀 愀渀搀 愀 昀漀氀氀漀眀攀爀

嘀椀猀椀漀渀 吀漀 戀攀 琀栀攀 挀甀猀琀漀洀攀爀猀 瀀愀爀琀渀攀爀

漀昀 挀栀漀椀挀攀 昀漀爀 猀愀昀攀最甀愀爀搀椀渀最 琀栀攀椀爀 搀椀最椀琀愀氀 愀猀猀攀琀猀

䴀椀猀猀椀漀渀 ㈀　㈀  吀漀瀀 ㌀ 䌀礀戀攀爀 匀攀挀甀爀椀琀礀 刀攀猀攀愀爀挀栀 䘀椀爀洀猀 椀渀 䄀猀椀愀  一漀⸀ 䜀刀䌀 倀氀愀琀昀漀爀洀 䜀氀漀戀愀氀氀礀  一漀⸀ 䜀刀䌀 䌀漀渀猀甀氀琀椀渀最 䘀椀爀洀 䜀氀漀戀愀氀氀礀

伀唀刀 䐀一䄀

CISO MAG | April 2019 CISO MAG | April 2019

Volume 3 I ssue 4

54

Volume 3 I ssue 4

The General Data Protection Regulation (GDPR) came into force in the European Union on May 25, 2018. It’s been a year now, and a lot has changed around data protection legislation across the European Economic Area (EEA). GDPR became an opportunity for several companies to establish best practices in cybersecurity, and it also paved way for California Consumer Privacy Act that is touted to be the GDPR for the United States of America. The U.S. is one of several nations in the world to join the bandwagon of data protection. In other words, the juggernaut has rolled. In our Cover Story, we bust several myths around GDPR that still persist while also exploring newer realities. In our Buzz section, we explore several neglected data security best practices including classification of data based on its sensitivity, password management for admins, reviewing data available to everyone, among several others. We have Ben Aung, Global Chief Information Security Officer of Sage, Under the Spotlight as he talks about how GDPR affected businesses, and discusses the gray areas in GDPR that companies are still struggling to understand. In our Insight section, we shed light on methods to protect yourself before a merger or an acquisition by detailing several cybersecurity assessment steps your organization can follow. Tell us what you think of this issue. If you have any suggestions, comments, or queries, please reach us at editorial@cisomag.com.

* Responsible for selection of news under PRB Act. Printed & Published by Apoorba Kumar, E-Commerce Consultants Pvt. Ltd., Editor: Rahul Arora.The publishers regret that they cannot accept liability for errors & omissions contained in this publication, howsoever caused. The opinion & views contained in this publication are not necessarily those of the publisher. Readers are advised to seek specialist advice before acting on the information contained in the publication which is provided for general use & may not be appropriate for the readers’ particular circumstances. The ownership of trade marks is acknowledged. No part of this publication or any part of the contents thereof may be reproduced, stored in a retrieval system, or transmitted in any form without the permission of the publishers in writing.

Volume 3 | Issue 4April 2019

EditorialInternational EditorAmber Pedroncelli

amber.pedroncelli@eccouncil.org

Principal EditorRahul Arora

rahul.arora@eccouncil.org

Senior Feature WriterAugustin Kurian

augustin.k@eccouncil.org

Feature Writer Rudra Srinivas

rudra.s@eccouncil.org

Media and DesignMedia Director

Saba Mohammadsaba.mohammad@eccouncil.org

Sr. Graphics DesignerSameer Surve

sameer.s@eccouncil.org

ManagementExecutive DirectorApoorba Kumar*

apoorba@eccouncil.org

Senior Director, Compliance & Governance

Cherylann Vanderhidecherylann@eccouncil.org

Deputy Business HeadJyoti Punjabi

jyoti.punjabi@eccouncil.org

Marketing and Business Development Officer

Riddhi Chandrariddhi.c@eccouncil.org

Digital Marketing ManagerJiten Waghela

jiten.w@eccouncil.org

Publishing Sales Manager Taruna Bose

taruna.b@eccouncil.org

TechnologyDirector of Technology

Raj Kumar Vishwakarmarajkumar@eccouncil.org

INDEX

EDITOR’S NOTE

Jay BavisiEditor-in-Chief

BUZZ Top 10 Neglected Data Security Best Practices

08

INSIGHTCrucial Cybersecurity Assessment Steps Before Merger or Acquisition

26

COLLABORATIONSInfoSec Partnerships

46

IN THE HOTSEATHigh-Profile Appointments in the Cybersecurity World

62

UNDER THE SPOTLIGHTBen Aung

Global Chief Information Security Officer, Sage

16

COVER STORYGDPR a year on, busting the myths and

exploring the new realities

36

IN THE NEWSTop Stories from

the Cybersecurity World

54

KICKSTARTERSStartups Making Waves in the

Cybersecurity World

6862

1608

68

26 36

46 54

CISO MAG | April 2019 CISO MAG | April 2019

Volume 3 I ssue 4

76

Volume 3 I ssue 4

Advertisement

From the CISO Perspectiveto Cloud Security Assessments

The secret is out:Enterprises large and small have moved to the cloud,

and more are making the move daily. Whether you’re an early adopter or you’ve been battling that persistent

strain of nephophobia going around, it’simportant to thoroughly understand and evaluate

potential cloud vendors, instilling confidence for your organization and your customers.

Learn How to Make the Leap With Confidence

http://bit.ly/2ivU4l9

Download our Cloud Security Toolkit to help you evaluate

potential cloud vendors.

Get insight into how other companies are approaching

cloud opportunities, andinstill confidence across your

organization today.

CISO MAG | April 2019 CISO MAG | April 2019

Volume 3 I ssue 4

98

Volume 3 I ssue 4BUZZ BUZZBUZZ BUZZ

Neglected Data Security Best Practices

98

Ilia Sotnikov, Vice President, Product Management, Netwrix

CISO MAG | April 2019 CISO MAG | April 2019

Volume 3 I ssue 4

1 110

Volume 3 I ssue 4

1 110

Ensuring data security becomes harder every day. Firstly, sensitive data is often spread across on-premises

and cloud-based storage locations, which makes it more difficult to maintain security controls. Secondly, the volume of data, including sensitive information, continues to grow, which means that more data requires protection. Finally, cyber criminals get more innovative all the time. As a result, securing data in compliance with increasingly complex regulations is a challenge.The 2018 Netwrix IT Risks Report explores how organizations are working to ensure compliance and beat cyber threats. Unfortunately, the results indicate that organizations aren’t doing enough to defeat the bad guys. Here are the 10 most neglected security best practices:

1. Classify data based on its sensitivitySecurity experts recommend that organizations classify data at least twice a year, so they can reset access rights and ensure that only the right people have access to data.

Reality check: 64% of organizations admit that they classify data based on its level of sensitivity just once per year or even less frequently.

Pro tip: Many organizations rely on users to classify data, which rarely works well. Look for data discovery and classification products that automate the classification process.

2. Update data access rightsTo prevent unauthorized access to data, security experts recommend strictly enforcing the least-privilege principle, as well as reviewing access rights every six months and after important events like an employee termination.

Reality check: 51% of organizations do not update data access rights even once a year.

Pro tip: Look for governance solutions that can assess and control access rights, both as part of an ongoing process as well as ad hoc. Also look for reporting and alerting tools that can ensure it’s all being done correctly and securely.

3. Review data available to everyoneTo reduce risk to sensitive data, security experts say that at least every three months, organizations should check that folders and shares available to everyone don’t contain sensitive data.

Reality check: 76% of organizations are not doing this frequently enough, and some never do it at all.

Pro tip: Look for solutions that can automate a continuous program to discover, classify and secure

BUZZ BUZZBUZZ BUZZ

https://www.netwrix.com/2018itrisksreport.html

CISO MAG | April 2019 CISO MAG | April 2019

Volume 3 I ssue 4

1312

Volume 3 I ssue 4

1312

content regardless of where it resides, so you can reduce your attack surface.

4. Get rid of stale dataWhen you no longer need data for daily operations, it should be archived or deleted. To mitigate security risks, experts recommend doing this every 90 days.

Reality check: Only 18% of organizations delete unnecessary data once a quarter, meaning that 82% of organizations are needlessly increasing their threat exposure.

Pro tip: Deploy an automated solution that can find stale data and collaborate with the data owners to determine which data can be archived or permanently deleted.

5. Conduct asset inventory regularlySecurity experts encourage you to identify all your assets (e.g. databases, software and computer equipment) and determine who is responsible for them at least once a quarter.

Reality check: Just 29% of organizations stick to the recommended schedule.

Pro tip: Choose an asset tracking solution that streamlines data collection and analysis to locate every asset within your company. Make sure it is easy to use and fits your needs.

6. Update and patch software promptlyInstalling security updates to your software in a timely manner enables you to mitigate vulnerabilities. The recommended frequency depends on patch and system importance and other factors; it varies from weekly for critical security patches to quarterly for less urgent patches, such as maintenance patches.

Reality check: 33% of organizations do not update their software even once in 90 days.

Pro tip: Establish a dedicated testing environment or at least a segment for patch testing to avoid incompatibility or performance issues.

7. Perform vulnerability assessmentsRegular vulnerability assessments help you locate security gaps and reduce your exposure to attacks. Security experts recommend running these assessments at least once a month.

Reality check: 82% of organizations do this only twice a year or don’t do it at all.

Pro tip: Find products that can continuously evaluate threats to your data and make sure you know which threat actors do most harm to your business. Even better, find tools that provide alerts to reduce the number of false alarms.

BUZZ BUZZBUZZ BUZZ

CISO MAG | April 2019 CISO MAG | April 2019

Volume 3 I ssue 4

1514

Volume 3 I ssue 4

8. Create and maintain an incident response planThere are several parts to a resilient security response plan: Draft a plan, get it approved, regularly train employees, and do test runs.

Reality check: 83% of organizations admit to failing to execute all these stages.

Pro tip: Conduct random tests to see how admins and regular users react to security threats and evaluate how your plan is working in real life.

9. Update admin passwords regularlyIf an administrator’s credentials are compromised by attackers, whether the credential is shared or not, the entire IT infrastructure is at risk. Security experts recommend changing admin passwords at least every quarter.

Reality check: Only 38% of organizations change their admin passwords at least once every 90 days.

Pro tip: Don’t use shared admin passwords, even if you update them every week. Each privileged user should have their own admin credentials and the passwords should be changed regularly.

10. Update user passwords regularlyWhile the goal of threat actors is to get administrative credentials, the gateway to that information

is oftentimes accessing a user’s credentials. A security best practice is to require users to change their passwords at least every 90 days.

Reality check: 42% organizations mandate a password change less frequently than once a quarter.

Pro tip: Require users to choose strong passwords (with a minimum number of characters and symbols) and change them once every 90 days. Also consider deploying multifactor authentication and single sign-on.

Following these security best practices can help you reduce your attack surface and minimize the risk of security and compliance issues. Rigorously implementing security basics such as finding, classifying and securing your data is essential to preventing attackers from stealing your sensitive data and ruining your company’s reputation.

The opinions expressed within this

article are the personal opinions of the

author. The facts, opinions, and language

in the article do not reflect the views of

CISO MAG and CISO MAG does not

assume any responsibility or liability for

the same.

BUZZBUZZ BUZZ

1514SUBSCRIBE NOW

FOR COMPLETE ISSUE

https://store.eccouncil.org/product/ciso-mag-annual-membership-fee-2/