Cyber Resilience- what I've found (Part 1)

A year or so ago I came upon the idea of "cyber resilience", which is a general concept of 'hardening' or toughing, or making more resilient, our IT/cyber systems.  I started seeing the terms used a lot, and many of the times I've seen it has been in use of ideas that we need to focus MORE on resilience then cybersecurity, or that cyber resilience is the next step beyond cybersecurity.

Here are some of the articles I read:  one, two, three.

I have a lot of problems with this idea.  This lead me to do research on the topic and I developed a presentation which I've given twice, most recently at the 2017 ISSA International Conference.  Below you'll find my research.

Now, this is not to say I'm not in agreement with the idea of cyber resilience.  What I have a problem is that its separate from or a next step from cybersecurity.  If people think this, I think they don't understand what cybersecurity SHOULD be.

FFIEC updates (finally) their Information Security IT Examination Handbook

Well, after ten years, the FFIEC has finally updated their Information Security IT Examination Handbook.

So probably some are wondering what this is and why should they care.  If you don't work in the financial industry, you may not be aware of all of this.

The FFIEC is the Federal Financial Institutions Examination Council, which is a government interagency body that sets down uniform principles, standards, and report forms regarding the examination of financial instituions.  The Council is make up of Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), the Consumer Financial Protection Bureau (CFPB), and the State Liaison Committee (SLC), which itself includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

So basically if you work for banks or credit unions, you have dealt with this.  If you do IT Security consulting in this realm, you have come across them.

"The Frugal CISO" by Kerry Anderson

Currently I am reading thru Kerry Ann Anderson's The Frugal CISO (CRC Press, 2014).

I am always on the lookout for good infosec books, and one area that I think is under served are those that are aimed at the top-level security professional on how to implement a good information security program.

This one I had discovered thanks to a related article the author had in a recent issue of the ISACA Journal on information security maturity models ("From Here to Maturity—Managing the
Information Security Life Cycle" v6, 2014). She makes use of the Nolan Model, which I wasn't familiar with (being more familiar with the CMM/CMMI based models).  The article was interesting, and I wanted to know more on the idea and she spends a chapter on this concept, which is good.  I think this would be a better maturity model for infosec groups to use then a CMM-based one.

I am currently reading thru the book, basically jumping around based on my interests.  What I see is pretty good.  She has stuff on hiring and building an infosec team, policies, controls, and more.  Her main theme overall is being frugal, being smart with you are spending money on, an important concept in today's cost-cutting attitude.

This is not a full review of the book.  I will probably post something like that later on.

Is the Information Security Skills Gap misidentified?

In recent postings, I've touched on the information security skills gap.  Many individuals and groups are pushing the idea that the large number of unfilled information security positions (40% is a number I've seen tossed around) is due to a "skills gap", that there are not enough skilled individuals to fill them.  And so we need to pump out more infosec professionals.

As noted, I'm not in agreement with this idea.  There may be a skills gap in certain areas and in certain markets, but don't think its correct to say we have an overall skills gap.