For 36 hours during the last weekend in January, more than 1,000 attended one of the largest women’s hackathons ever at SheHacks Boston.
SheHacks Boston organizer Natalie Pienkowska said that the event was a way to counter the “ridiculous” amount of inequality that remains in the modern workplace.
“Women and non-binary individuals are not getting treated the same way as men in the workplace,” Pienkowska said. “We want to inspire women in technology and in other professions to achieve.”
A hackathon is a social event that brings a large number of computer programmers together to build a new software program, generate ideas or further some social goal. Oftentimes, hackathons are designed to offer participants a low pressure, low stress environment to develop ideas and solve problems.
SheHacks Boston organizers said they strived to make attendees feel empowered and to pursue technology as a class, major, hobby or even career. The event offered more than 50 workshops for attendees and made a variety of mentors available to them throughout the day.
Samantha Provenza of Girl Develop It, a nonprofit which provides opportunities for women interested in software development, has experience with all-female hackathons. She was an organizer for Hackentine’s Day, an all-women’s hackathon held last February.
“It’s really important to have a welcoming, non-judging environment for beginners where they can learn new skills, showcase the ones they already have and gain a huge feeling of accomplishment for creating something,” Provenza said.
Providing role models for attendees is also important, a goal the SheHacks Boston organizers tried to meet by selecting an all-female group of keynote speakers.
“We looked for individuals who were excited about inspiring the next generation of female STEMinists,” said Marla Odell, the head of student innovation for SheHacks. “We very deliberately invited speakers with a breadth of backgrounds, experiences, and expertise throughout the technology sector.”
The stellar lineup featured tech entrepreneurs, academics and students. Among them: Julie Johnson, the co-founder and president of Armored Things, a startup using IoT devices to secure venues; robotics guru Cynthia Breazeal, an associate professor of Media Arts and Sciences at the Massachusetts Institute of Technology, where she is the director of the Personal Robots Group at the MIT Media Laboratory; and Jesslyn Tannady a computer sciences and media arts and sciences major at Wellesley College. Tannady is already making her mark in technology, having developed an augmented reality application for Microsoft’s Hololens that is on track to serve as a prototype for navigation tools for astronauts on Mars.
As for aspiring women technologists, SheHacks’ Pienkowska had some simple advice:
“The most important thing they can do is be confident and spread the confidence in being a techie as a woman,” she said.
With enforcement of the EU General Data Protection Regulation (GDPR) in the offing, organizations are busy preparing for a new era in privacy regulation. But UK companies that are Cyber Essentials certified are at an advantage, according to Jamie Akhtar, co-founder and CEO of UK-based cybersecurity startup CyberSmart.
“Cyber Essentials provides the baseline for standards like GDPR, HIPAA, NIST, PCI-DSS and ISO 27001, because you can demonstrate that you have taken care of the biggest risk areas. It actually forms that technical baseline to build on top of your policies, risk assessments and your business continuity,” Akhtar said during the CompTIA webinar titled You have 99 problems, but cybersecurity isn’t one of them.
Cyber Essentials is a UK government-backed certification where organizations in the UK implement a set of basic technical controls to protect themselves against cyberattacks, he explained. Implemented in 2014, the UK government worked with the Information Assurance for Small and Medium Enterprises consortium and Information Security Forum to develop Cyber Essentials. The UK government claimed that it would reduce 80% of all attacks if businesses put simple cybersecurity controls in place, he said.
The aim of being Cyber Essentials certified is to help organizations safeguard sensitive data by implementing reasonable security measures, much like GDPR specifications that aim to strengthen data protection, Akhtar added. The lessons Cyber Essentials preaches can also help other companies around the globe as they strive to meet the GDPR’s data protection, and other compliance regulations like it, he said.
Akhtar called the implementation of GDPR a long overdue, important change to how legislators address data protection.
“Over the last couple of decades it’s kind of been like the Wild West of data,” he said. “Companies have gathered data, stored data, but they haven’t really taken good care of it. With more and more of our lives becoming digital … the more important data protection and privacy is.”
The Cyber Essentials security standard spans across five security control areas, he added:
- Boundary firewalls and internet gateways: By making them an integral part of network security, it can help prevent attackers from reaching computers with vulnerable software installed.
- Secure configuration: This helps minimize the potential exploitation of vulnerabilities. Steps include fundamental cyber hygiene such as avoiding the use of default passwords.
- User access control: Organizations must ensure everyone has the appropriate access to data for the role that they are performing.
- Malware protection: Organizations must make sure that virus and malware protection is installed and is up to date.
- Patch management: Timely application of patches should be a priority for preventing breaches.
“The big benefit [of being Cyber Essentials certified] is building customer confidence in you as a service delivery provider, showing them that you have those credentials and that you take security seriously,” Akhtar said.
There is a new moonshot in cybersecurity, and Google’s parent company is calling it Chronicle. Alphabet’s cybersecurity business unit launched last week and plans on selling cybersecurity services to Fortune 500 companies.
Chronicle aims to leverage machine learning to advance threat detection, the cybersecurity company touted. It will help companies use their information to improve security by allowing them to run analysis faster and giving them the ability to store large amounts of data to help them recognize patterns.
“We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find. We are building our intelligence and analytics platform to solve this problem,” Stephen Gillett, CEO and co-founder of Chronicle, said in a blog post.
Given the steady rise in global security spending, Gartner analyst Avivah Litan thinks it’s wise that Alphabet spin out a cybersecurity company.
Google has world-class AI and machine learning that the cybersecurity company can use, and also has some of the world’s largest data sets that are invaluable when training machine learning models to find threats and attacks, Litan said.
“With the right people on the problem, Chronicle can translate these Google leveraged assets into world-class security products that are highly effective in combating today’s advancing attacks,” she said.
But Bryce Austin, CEO at Minneapolis-based IT consulting company TCE Strategy, thinks Google is entering a space already saturated with companies offering similar services.
“However, the cybersecurity machine learning space has yet to find a clear front runner,” Austin said in an email interview.
Google is trying to solve a very different problem than they do with their search engine, Austin said. When people search with Google, most “hits” come from websites that want to be found. Google’s challenge is to make the more relevant results show up on top, and to keep the fake or malicious ones out of the search results, he said.
“This new security offering is exactly the opposite. The ‘hits’ Google will be looking for in cybersecurity are ones that are trying hard to not be found,” Austin said.
The trick will be to provide alerts reporting suspicious network behavior while at the same time not overwhelming human operators with false positives, he added.
But only time will tell how successful Chronicle will be as a cybersecurity company, Litan said.
It comes down to a couple of key points that could trip the Chronicle up, she said: One, the company’s staff: Is Chronicle able to attract the best talents in cybersecurity analytics and threat detection? It’s not a given, since competition for such talent is fierce and these sought-after individuals need dynamic environments and financial incentives to thrive, she said.
Two, the go-to-market strategy: Is Chronicle able to sell their still relatively undefined services and products in a very crowded market full of innovative entrepreneurial competitors?
“I’ve seen lots of companies with great technology assets miss the mark and not achieve the success they potentially could,” Litan said.
Despite recent high profile data security incidents, it seems business leaders still are not acknowledging their IT vulnerabilities: In a recent cybersecurity study, 20% of survey respondents cited business and executive management treating cybersecurity as a “low priority” was one of the top three reasons behind organizations experiencing security incidents.
The study, conducted by the Information Systems Security Association and analyst firm ESG, surveyed 343 cybersecurity professionals worldwide. Titled The Life and Times of Cybersecurity Professionals, the survey sheds light on how the cybersecurity skills shortage is worsening for businesses.
The problem is exacerbated because business leaders often don’t understand what information security or cybersecurity is, thus making it a low priority throughout the organization, Candy Alexander, member of the ISSA International Board of Directors and chief architect of the ISSA Cyber Security Career Lifecycle, explained.
The onus also lies on information security and cybersecurity professionals to get a lot better at educating their businesses about cybersecurity, Alexander said.
“As information security folks, we’re technical by nature. When we go in to have those conversations we’re bringing in technical conversation to a non-technical business person,” she said. “It’s clearly not working and we need to get better at having those business discussions.”
Business managers don’t support an appropriate level of cybersecurity and are often content with “good enough security,” Jon Oltsik, senior principal analyst at the Enterprise Strategy Group (ESG) and the author of the report, added. “But good enough security doesn’t work anymore.”
Creating an environment where cybersecurity is priority from the top of the organization can help mend the situation, he suggested.
Cybersecurity professionals also often don’t understand business methodology, Alexander said. Infosec professionals should sign up for online business communications or business theory classes to help understand the language of business and get better at communicating with the business, she said.
Alexander also stressed the value of networking as a tool to help businesses understand the cybersecurity professionals’ role in an organization. Cybersecurity professionals should look to their peer network to find somebody who is skilled at providing justification for cybersecurity investments and who has a good rapport with the business when doing so, she recommended.
“Latch on to that person and start networking. Use that person as a security mentor,” she said. “If I’m having a hard time getting a concept across to my business, such as maybe budget justification for hiring more staff, then I’m going to go find somebody in my peer network — a fellow CISO or a fellow infosec director — who is really good at it and I’m going to get their input.”
Cybersecurity incidents remain a growing risk for the enterprise in today’s digital world. As a result, an organization’s cybersecurity strategy usually isn’t just about prevention anymore, but also about risk mitigation and building resiliency.
Many organizations are reinforcing their cybersecurity strategy by signing up for cybersecurity insurance. Cybersecurity insurance is still in its nascent stage of development, but businesses worldwide are beginning to recognize its importance in today’s evolving threat landscape: Auditing firm PwC predicts insurance policy premiums to grow to $7.5 billion by the end of the decade.
At the recent MIT Sloan CFO Summit in Boston, panelists during a session titled Cybersecurity: How much is too much? talked about the role cybersecurity insurance plays in an organization’s overall cybersecurity strategy.
“In terms of cyber insurance, it is a pretty new industry; it’s still maturing,” Aparna Ramesh, CFO at the Federal Reserve Bank of Boston, said. “I think it will be interesting to see what kind of analysis and information comes out once this industry matures.”
Designed to mitigate financial losses from incidents like data breaches, cyber insurance can protect businesses from some of the risks involved in doing business online. Cybersecurity insurance policies can help cover extra expenditures such as regulatory costs and meeting customer notification requirements that result from the theft or destruction of digital assets.
But Pietr Lindahl, senior director of cyber threat reduction and strategic analysis at Philips, advised organizations against solely relying on cyber insurance.
“It may help soften the blow from a financial perspective, but hasn’t done anything to protect your brand reputation or ensure business continuity,” Lindahl said.
Several factors are considered when budgeting and planning an organization’s cybersecurity investments such as insurance policies, Lindahl said. The amount of money budgeted will vary based on the company’s risk profile, what kind of information they have that could be targeted and what kind of proprietary information they have, he added. He also advised organizations to annually reevaluate their threat landscape and risk appetite.
Scott Ward, CFO at Cybereason and a co-panelist, sees cybersecurity insurance as “just another tool in the toolkit” of organizations trying to prevent and prepare for cyberattacks.
To think of it as a silver bullet is wrong, Ward reinforced. After Target’s huge 2013 data breach, cyber liability insurance covered only 36% of the companies associated costs, he reminded the audience.
“A lot of technology is still evolving, changing and improving and the same has to be said with cyber insurance policies. There is a lot of work going into those policies in the development and understanding what’s covered and what’s not. It’s definitely a work in progress,” Ward said.
Panelists speaking at a session titled Right Hand, Left Hand: Transparency, Communication and Conflict at the recent Cambridge Cyber Summit agreed that the government and private industry must cooperate to protect U.S. citizens’ data security and online privacy.
Numerous obstacles remain to a true government-business cybersecurity partnership, however: One is the lack of an agile regulatory structure that can handle agile technology, according to Tom Wheeler, former chairman of the Federal Communications Commission.
“The challenge is we look at 21st century technology issues and discuss them in 20th century terms and propose 19th century solutions,” Wheeler said. “That paradigm has to be broken … the going forward regulatory structure has to be one that does not retreat from the field, but leaves behind industrial era concepts to become more agile, and that means working with the companies.”
The technological revolutions that have occurred over the course of history shows how innovation is rapidly replacing old institutions, Wheeler said. The challenge lies in dealing with the maturation process, he added.
The approach that companies in the technology industry have taken, for the most part, has been to keep the government away, he said, but private companies and the government must work together to collectively address the issue.
“Step one is you have to engage, you can’t say government is the problem. You have got to say, ‘how do we make it work?'” he said.
Glenn Gerstell, general counsel for the NSA and a co-panelist, predicted the government-business cybersecurity strategy relationship will get better in the next five years, especially from an information sharing perspective.
“There is absolutely a clear convergence on the understanding of the private sector about the role that the government can play in this area, that it’s more educational in the part of the government, so I definitely think it’s moving in the right direction,” Gerstell said.
But the process for government-business cybersecurity interaction and information sharing has to be transparent, according to co-panelist Monika Bickert, head of global policy management for Facebook.
Companies like Facebook have clear rules about how to respond to the government’s request for access to data, and there are situations when private companies would proactively provide information to the government, she explained.
“With the government, our role is making sure that we have the channels of communication open and working and transparent,” she said.
Bickert encouraged more cybersecurity strategy partnerships among the private sector and between government and industry, but said regulations aren’t always the right way to address privacy concerns.
“Let’s get the guidance from the government about what their concerns are, especially from the safety standpoint, and then figure out, as companies, how to address those without regulations,” she said.
It’s no secret that data protection has become integral to bottom line success for digital businesses. As a result, it’s time for InfoSec professionals to crawl out of their caves and start communicating with the rest of the business, Tom Kartanowicz, head of information security at Natixis, North America, told the audience at the recent CDM Media CISO Summit.
To facilitate this communication, the language these pros will use is the language of security risk, Kartanowicz said.
“As security professionals, if we want to be taken seriously we need to put what we do into the risk lens to talk to the business so they understand the impact and how we’re trying to reduce the impact of the types of threats we’re seeing,” Kartanowicz said.
For example, even though the chief information security officer and chief risk officer may appear to be two different islands in an organization, they are part of the same team, he reminded the audience.
Business is the bridge that links them together so instead of working in silos, security professionals should carve out what Kartanowicz calls a “friends and family plan” that forms allies with other departments in their organization. The human resources department can help discipline somebody who might be an internal threat to the organization, corporate communications can help talk to the media and customers when there are incidents like DDoS and malware attacks, and the legal department can be valuable allies when it is time to take action against bad actors, he explained.
“As the CISO or as the head of InfoSec, you are missing out on a lot of valuable intelligence if you are not talking to all these different teams,” he stressed.
Risk mapping — a data visualization tool that outlines an organization’s specific risks — is an effective way to identify threats and vulnerabilities, then communicate them to the business, he said. Risk mapping helps an organization identify the areas where it’s going to spend their security budget, how to implement solutions and, most importantly, helps identify specific instances of risk reduction, he said.
Kartanowicz said there are two things to consider when evaluating and determining the likelihood of a risk: how easy is it to exploit and how often it occurs.
“If the vulnerabilities require technical skills held by 1% of the population, it’s going to be pretty difficult to exploit,” he said. “If on the other hand, anybody on the street can exploit it, it’s going to be pretty easy.”
It is then time to address the specific risks, he said.
Using tools such as the NIST cybersecurity framework can help InfoSec reduce the risks, he said. It’s important that organizations tie in their disaster recovery, backup strategy, business continuity and crisis management into whatever the framework they choose, he added. Organizations should also ensure they have baseline controls in place to help minimize the risk of a data breach, he added.
But as threats evolve and vulnerabilities change, he suggested that the risk map be re-evaluated annually. Business requirements are constantly evolving and organizations are always entering different markets, but companies need to be constantly aware of the threat landscape, he added.
“Incidents will always occur; risk is not going away,” he said.
For information technology professionals, obtaining certifications have become an important way to demonstrate their knowledge, experience and qualifications. Although certification programs are often fostered or supervised by certifying agencies or professional associations, some major computer software and hardware vendors provide a certification program for installers of their product, such as Cisco’s Certified Internetwork Professional. In this guest post, Chris Crotteau, manager of customer engineering at Santa Barbara, Calif.-based IT infrastructure and services provider Curvature, says that while vendor-specific certifications such as the ones offered by Cisco are still beneficial, networking professionals should consider multi-vendor certifications to build their skills and further their career path.
The case for multi-vendor certifications
There was a time when Cisco certifications were the best bet for networking professionals seeking to get ahead or just snag a great job. In fact, obtaining Cisco certifications often were considered the fastest route up the corporate ladder for aspiring network operations leaders. Times are changing, though. IT management increasingly is looking beyond just Cisco technical skills when assessing a candidate’s capabilities to build and nurture a modern enterprise network.
Having a Cisco Certified Network Professional (CCNP), CCIE (Cisco Certified Internetwork Engineer), or CCAr (Cisco Certified Architect) after your name still carries a lot of weight, but so do a growing list of vendor-neutral IT certifications from organizations such as (ISC)2 or CWNP.
This is true because multi-vendor networks are growing quickly, for a number of reasons. Customers are looking for ways to save money, avoid vendor lock-in or find the best-of-breed products for their needs. The truth is, the networking space is now a competitive market in many areas, and Cisco’s product options sometimes come with significant compromises or reinforce an uncomfortable degree of vendor lock-in.
Recently, I experienced this point when a customer’s CCIE-level engineer was so heavily biased toward Cisco that he was unwilling to look at a solution from Arista Networks that would have eliminated some significant compromises in the proposed network’s routing design. This lack of knowledge and comfort with the world of networking beyond Cisco managed to create a situation where a substantial amount of additional complexity was introduced for no good technical reason.
The experience above really demonstrated the problem with leaning too hard on Cisco certifications. While they prove strong expertise in a pivotal area, those certifications can also foster a degree of closed-mindedness and over-reliance on Cisco proprietary technologies — to the detriment of a broader array of knowledge and skills in the networking world. This, of course, raises another issue: While organizations like CompTIA offer entry-level certifications, there is a real lack of professional and expert level certificates to prove broader knowledge of industry-standard, open networking principles. Such certifications would be vendor-agnostic and far-sweeping. Let’s hope some forward-thinking organization will step up to take this challenge.
In the meantime, network professionals intent on building their skills and career paths should attain other certifications such as Certified Information Systems Security Professional (CISSP) and those offered by (ISC)2. Beyond the technical realm, it’s equally important to understand the necessity of core project and overall organizational management skills, which can be formalized by certifications such as Project Management Professional (PMP), Certified Associate in Project Management (CAPM) and ITIL.
The steady rise of these certifications demonstrates that operational prowess is gaining ground as IT management looks to groom both business and technology leaders. And while CCIE status won’t lose its luster anytime soon, there’s a multitude of reasons why it shouldn’t be considered the end-all, be-all.
Don’t get me wrong, a CCIE certification is still the pinnacle of Cisco networking expertise because it means passing arguably the toughest test for any senior-level engineer. That said, it should really be more of a jumping-off point for developing broader business skills and understanding other networking technologies and systems.
In the future, CIOs will be looking for smart, savvy engineers with more than just serious technical understanding. They’ll assign equal or maybe even more clout to business acumen and multi-vendor knowledge that helps drive IT innovation and the company forward.
Chris Crotteau is manager of customer engineering at Curvature, where he leads development of customer-focused network hardware and maintenance solutions. He joined the company in January 2004 as an operations technician. Prior to his latest position, Crotteau served as a sales engineer responsible for providing technical solutions and training on new products from Cisco and Curvature’s OEM partners. Crotteau earned a bachelor’s in mechanical engineering from University of California, Berkeley.
After the U.S. was allegedly plagued by Russian cyberattacks during the election, members of both the Democratic and Republican parties are now calling for investigations. Also in recent GRC news: U.S. auto-safety regulators proposed new rules that would require car manufacturers implement technology in vehicles allowing cars to “talk” to each other in an effort to improve safety, and a recent study showed that one fourth of worldwide ransomware attacks target the United States.
Russian hacking allegations continue
Talk of Russian intervention in the presidential election did not end on Election Day. Now, Democrats and Republicans alike are calling on the U.S. government to open a full investigation into just how large a role Russia played in shaping the 2016 presidential race, the New York Times reported. President Obama has ordered a full intelligence review of Russian hacking that he wants completed by the time he leaves office on January 20.
New allegations suggest that Russia is not stopping with the U.S. election process, the BBC reported: German politicians warn that the country’s 2017 parliamentary lower house (Bundestag) election is now at risk of Russian intervention via cyberattacks, after files hacked from Bundestag in 2014-2015 recently surfaced on Wikileaks. The files were stolen from the committee that was responsible for investigating the NSA‘s spying on German politicians.
Both the Kremlin and President-elect Donald Trump alike have refuted the CIA and FBI’s claims of Russian election hacking, with Trump recently tweeting, “If Russia, or some other entity, was hacking, why did the White House wait so long to act? Why did they only complain after Hillary lost?”
Next-gen cars to communicate with each other
Auto regulators have proposed new rules that would require car-manufacturers to implement crash- avoidance technology that allows cars to communicate with each other, USA Today reported. The National Highway Traffic Safety Administration is striving to eliminate roadway deaths within 30 years, and this technology implementation would mark a significant step to meet that goal.
The technology, dubbed “V2V” or “vehicle to vehicle” within the auto-industry, “would require automakers to comply on 50% of their new vehicles within two years and 100% within four years,” according to USA Today.
Malware attacks on the U.S. increase
A recent analysis conducted by security firm Malwarebytes has shown that more than a quarter of ransomware attacks blocked by its software targeted users in the United States, eWEEK reported. After analyzing about half a million ransomware attacks in 200 countries, the company discovered that 26% of attacks targeted the U.S., with Germany and France in distant second and third places, respectively.
Adam Kujawa, director of malware intelligence at Malwarebytes, told eWEEK that ransomware has seen significant growth in 2016, saying, “Throughout the whole year, ransomware has been the dominant problem. It has just kept growing.”
The future of regulatory compliance is under scrutiny as President-elect Donald Trump’s administration continues the transition process. Also in recent GRC news: Hackers demanded ransom after disabling San Francisco’s transportation system, ‘dronejacking’ could become the next security issue and Facebook hits another EU privacy roadblock in its quest to use WhatsApp’s data.
The future of compliance under President Trump
President-elect Donald Trump has said he will dismantle Dodd Frank and stated that 70% of federal regulations are unnecessary, leaving some to wonder what the future of regulatory compliance will look like.
Roy Snell, chief executive of the Society of Corporate Compliance and Ethics, told the Wall Street Journal that compliance will be fine for the next four years because enforcement remains a, “for profit industry.”
Governance and compliance attorney Scott Killingsworth of Bryan Crave LLP shared similar views with Snell, telling the Journal that, “Compliance is still going to be much less expensive than misconduct.” Killingsworth added that compliance will remain an important role in business moving forward, no matter the reduction in regulatory enforcement.
San Francisco transportation system hacked
The San Francisco Municipal Transportation Agency recently fell victim to a ransomware attack on its light rail system. The hackers managed to disrupt some of the transportation agency’s internal computer systems, including email, Forbes reported.
The hackers reportedly demanded payment of 100 Bitcoins, equal to $70,000, in exchange for removing the ransomware from the transportation agency’s systems. The systems were down briefly and resumed full operations later in the same day of the attack. A spokesperson for the transportation agency said that the attack did not have much of an effect on service, telling Forbes that, “There has been no impact to transit service, to our safety systems or to our customers’ personal information.”
‘Dronejacking’: The next big cybersecurity threat?
Consumer drone sales have been growing at an incredible pace, with sales projected to reach $12 billion in 2021 after reaching over $8 billion last year, according to Business Insider. Growing alongside the increasing sales numbers are threats of exploitation and hijacking that could potentially turn drones into tools for espionage or terrorism.
Drones have a high potential for exploitation because they often use unencrypted means of communication and contain, “many open ports,” Intel Security cybersecurity and privacy director Bruce Snell told International Business Times.
Drone exploits, once discovered, may also be put up for sale on the Dark Web. “Once these toolkits start making the rounds, it is just a matter of time before we see stories of hijacked drones showing up in the evening news,” Snell told IB Times.
Facebook hits roadblock in WhatsApp plans
In its quest to access users’ WhatsApp data, Facebook has hit another roadblock in the EU as it will face additional action over using WhatsApp’s data for its own advertising purposes, Bloomberg Technology reported.