Sightglass’ Post

From #cybersecurity’s reign as top tech risk to #AI’s growing audit role, our latest Global Internal Audit Perspectives on Top #Technology Risks survey reveals the tech priorities defining tomorrow. Are you prepared for this changing landscape? Read more: https://ow.ly/nnx450U9HOM #2024IATopTechRisks #InternalAudit #ITAudit

🚀 Hurry! Last chance to secure your spot for the free webinar on April 11th, 2024! 📅 Join us for an enlightening session titled "Effectively Managing Compliance and Security with an Integrated Requirements Management and DevSecOps Approach," featuring Fernando Valera, Visure Solutions’ CTO. 🛡️ In this session, you'll delve into: ✅ Integrated Approach: Discover the power of merging #RequirementsManagement and #DevSecOps for robust compliance and security. 💪 ✅ Regulatory Strategies: Master navigating compliance amidst ever-changing #regulatorylandscapes. 🌍 ✅ DevSecOps Principles: Learn essential principles to enhance efficiency, tackle vulnerabilities, and foster a proactive security mindset. 🔐 ✅ Collaborative Streamlining: Unlock the potential of team collaboration for heightened efficiency and effectiveness. 🤝 ✅ Risk Reduction: Gain clarity on how aligning compliance with DevSecOps principles proactively mitigates risks. 📉 Don't miss out on these vital strategies for seamless compliance and security management throughout the development lifecycle. Reserve your spot now: https://lnkd.in/gq46z8jE 🎯 #Compliance #DevSecOps #DevelopmentLifecycle

Integrating AI into the tax function presents both remarkable opportunities and significant challenges regarding the management of technology risk. I strongly encourage leaders to catch up on the recent July 11th EY webinar addressing responsible digital innovation in times of transformation. Among other topics, the panel discussion offers tactical insights into identifying and mitigating technology risks through pre-implementation assessments, System and Organization Control (SOC) reporting, and essential attestations for third parties. Leaders Natalie Deak Jaros, Daryl Box, Brandon Miller, and Jaime Kipnes also discuss cybersecurity program assessments, the new NIST 2.0, and the importance of maintaining a proactive stance in the current technological climate. As we build out the #futureoftax, let’s make sure we do so responsibly. Tune in here. https://lnkd.in/gvbEcBtP

📽️ 𝗗𝗶𝗱 𝗬𝗼𝘂 𝗠𝗶𝘀𝘀 𝗧𝗲𝗰𝗵𝗚𝘂𝗮𝗿𝗱 𝗶𝗻 𝗠𝗮𝘆? 𝗛𝗲𝗿𝗲’𝘀 𝗬𝗼𝘂𝗿 𝗦𝗲𝗰𝗼𝗻𝗱 𝗖𝗵𝗮𝗻𝗰𝗲! Back by 𝗽𝗼𝗽𝘂𝗹𝗮𝗿 𝗱𝗲𝗺𝗮𝗻𝗱, 𝗧𝗲𝗰𝗵𝗚𝘂𝗮𝗿𝗱: 𝗘𝗺𝗽𝗼𝘄𝗲𝗿𝗶𝗻𝗴 𝗖𝗮𝗽𝗶𝘁𝗮𝗹 𝗠𝗮𝗿𝗸𝗲𝘁𝘀 𝘄𝗶𝘁𝗵 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝘁 𝗧𝗲𝗰𝗵𝗻𝗼𝗹𝗼𝗴𝘆 𝗥𝗶𝘀𝗸 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 is making its highly anticipated return! If you missed the first session, don’t miss this opportunity to catch up on everything you need to know about 𝗻𝗮𝘃𝗶𝗴𝗮𝘁𝗶𝗻𝗴 𝘁𝗲𝗰𝗵𝗻𝗼𝗹𝗼𝗴𝘆 𝗿𝗶𝘀𝗸𝘀 in the capital markets. 📅 𝗗𝗮𝘁𝗲: 𝟮𝟲 𝗡𝗼𝘃𝗲𝗺𝗯𝗲𝗿 𝟮𝟬𝟮𝟰 🕗 𝗧𝗶𝗺𝗲: 𝟵:𝟬𝟬 𝗮𝗺 - 𝟱:𝟬𝟬 𝗽𝗺 📍 𝗩𝗲𝗻𝘂𝗲: 𝗠 𝗥𝗲𝘀𝗼𝗿𝘁 & 𝗛𝗼𝘁𝗲𝗹, 𝗞𝘂𝗮𝗹𝗮 𝗟𝘂𝗺𝗽𝘂𝗿 ✅ 𝗙𝘂𝗹𝗹𝘆 𝗛𝗥𝗗 𝗖𝗼𝗿𝗽 𝗖𝗹𝗮𝗶𝗺𝗮𝗯𝗹𝗲 🔎 Why Now? The 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝗶𝗲𝘀 𝗖𝗼𝗺𝗺𝗶𝘀𝘀𝗶𝗼𝗻 𝗠𝗮𝗹𝗮𝘆𝘀𝗶𝗮 (𝗦𝗖) has revised its 𝗚𝘂𝗶𝗱𝗲𝗹𝗶𝗻𝗲𝘀 𝗼𝗻 𝗧𝗲𝗰𝗵𝗻𝗼𝗹𝗼𝗴𝘆 𝗥𝗶𝘀𝗸 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁, effective 19 August 2024. These updated guidelines go beyond cybersecurity, covering a broader spectrum of technology risks to help organisations stay ahead. Key highlights include: ✅ Strengthened operational reliability, security and resilience to mitigate technology disruptions. ✅ Emphasis on 𝗯𝗼𝗮𝗿𝗱 𝗼𝘃𝗲𝗿𝘀𝗶𝗴𝗵𝘁 𝗮𝗻𝗱 𝗮𝗰𝗰𝗼𝘂𝗻𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆 for managing technology risks. ✅ Best practices in 𝗰𝗵𝗮𝗻𝗴𝗲 𝗺𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁, third-party service provider oversight, reporting and technology audits. ✅ Guidance on 𝗔𝗿𝘁𝗶𝗳𝗶𝗰𝗶𝗮𝗹 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 (𝗔𝗜) and 𝗠𝗮𝗰𝗵𝗶𝗻𝗲 𝗟𝗲𝗮𝗿𝗻𝗶𝗻𝗴 (𝗠𝗟) adoption, ensuring ethical and secure implementations. 💼 𝗧𝗵𝗶𝘀 𝗶𝘀𝗻’𝘁 𝗷𝘂𝘀𝘁 𝗮𝗻 𝗲𝘃𝗲𝗻𝘁—𝗶𝘁’𝘀 𝘆𝗼𝘂𝗿 𝘁𝗼𝗼𝗹𝗸𝗶𝘁 𝘁𝗼 𝗳𝘂𝘁𝘂𝗿𝗲-𝗽𝗿𝗼𝗼𝗳 𝘆𝗼𝘂𝗿 𝗼𝗿𝗴𝗮𝗻𝗶𝘀𝗮𝘁𝗶𝗼𝗻 and ensure compliance with industry-leading practices. Whether you're in compliance, Information Technology or senior management, this programme will equip you with actionable knowledge to secure your organisation. Don't miss this opportunity to gain insights from our amazing speaker lineup and network with fellow professionals! 🚀 🔗 𝗦𝗲𝗮𝘁𝘀 𝗮𝗿𝗲 𝗹𝗶𝗺𝗶𝘁𝗲𝗱! Don’t miss your chance to join this power-packed session. 𝗥𝗲𝗴𝗶𝘀𝘁𝗲𝗿 𝘁𝗼𝗱𝗮𝘆: https://buff.ly/4ebwRee #TechGuard #SIDC #TechnologyRiskManagement #SCGuidelines #CyberResilience #CapitalMarkets

🌐 In our increasingly interconnected world, the protection of machine identities is paramount for building and maintaining digital trust. The recent news announcing the plan to establish a standardization center underscores the critical importance of collaboration across international standards. By fostering collaboration, we can address the complexities of digital trust more effectively and create a safer digital environment for everyone. Read more about this vital development here: https://okt.to/jhOLB4 #DigitalTrust #MachineIdentity #NIST #Cybersecurity #GlobalStandards

Elevate Security (acquired by Mimecast), Code42 (acquired by Mimecast) and today, Aware. It’s shaping up to be a busy summer. Excited to deliver such great technologies to our 43,000+ global customers and beyond. As we continue our mission to revolutionize human risk management, we’re excited to announce we’ve acquired Aware, a leading AI-Powered Collaboration Security platform. Combining Aware’s advanced AI-powered contextual intelligence capabilities with our enhanced #HumanRiskManagement platform will provide our customers with state-of-the-art security and compliance needed for today’s collaborative workplaces. Learn more here: https://lnkd.in/gy_m-S5j #Cybsersecurity #CollaborationSecurity #SecurityAwareness #AI

🔎 𝗪𝗵𝗮𝘁’𝘀 𝘁𝗵𝗲 𝗕𝗶𝗴𝗴𝗲𝘀𝘁 𝗕𝗮𝗿𝗿𝗶𝗲𝗿 𝘁𝗼 𝗙𝗲𝗱𝗲𝗿𝗮𝗹 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲? Let’s uncover the obstacles and share solutions! Drop your thoughts in the comments. 💻 #CyberSecurityCompliance #ProactiveSecurity For many organizations, compliance with frameworks like NIST SP 800-53 feels like an afterthought—something tackled after systems are developed. This reactive approach leads to inefficiencies and costly rework. 𝗛𝗼𝘄 𝘁𝗼 𝗜𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗲 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲: 1. Shift Left: Incorporate compliance early in your development lifecycle to avoid retroactive fixes. 2. Embed Security: Use DevSecOps to make compliance part of your workflows from day one. 3. Automate: Implement tools that track and verify compliance in real time, reducing manual overhead. 𝗪𝗵𝗮𝘁 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗲𝘀 𝗵𝗮𝘃𝗲 𝘆𝗼𝘂 𝗳𝗼𝘂𝗻𝗱 𝗲𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲 𝗶𝗻 𝗶𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗶𝗻𝗴 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗶𝗻𝘁𝗼 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝘀? Let’s learn from each other’s experiences! 🔒 #DevSecOps #ProactiveCompliance #NISTSP80053

🔎 𝗪𝗵𝗮𝘁’𝘀 𝘁𝗵𝗲 𝗕𝗶𝗴𝗴𝗲𝘀𝘁 𝗕𝗮𝗿𝗿𝗶𝗲𝗿 𝘁𝗼 𝗙𝗲𝗱𝗲𝗿𝗮𝗹 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲? Let’s uncover the obstacles and share solutions! Drop your thoughts in the comments. 💻 #CyberSecurityCompliance #ProactiveSecurity For many organizations, compliance with frameworks like NIST SP 800-53 feels like an afterthought—something tackled after systems are developed. This reactive approach leads to inefficiencies and costly rework. 𝗛𝗼𝘄 𝘁𝗼 𝗜𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗲 𝗖𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲: 1. Shift Left: Incorporate compliance early in your development lifecycle to avoid retroactive fixes. 2. Embed Security: Use DevSecOps to make compliance part of your workflows from day one. 3. Automate: Implement tools that track and verify compliance in real time, reducing manual overhead. 𝗪𝗵𝗮𝘁 𝘀𝘁𝗿𝗮𝘁𝗲𝗴𝗶𝗲𝘀 𝗵𝗮𝘃𝗲 𝘆𝗼𝘂 𝗳𝗼𝘂𝗻𝗱 𝗲𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲 𝗶𝗻 𝗶𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗶𝗻𝗴 𝗰𝗼𝗺𝗽𝗹𝗶𝗮𝗻𝗰𝗲 𝗶𝗻𝘁𝗼 𝗼𝗽𝗲𝗿𝗮𝘁𝗶𝗼𝗻𝘀? Let’s learn from each other’s experiences! 🔒 #DevSecOps #ProactiveCompliance #NISTSP80053

⚠️ You’re losing control of your IT. Shadow IT is silently disrupting your operations.⚠️ In many organizations, employees turn to unauthorized applications and services to meet their needs quickly, bypassing the often slower and more bureaucratic processes of the official IT department. This behavior leads to: ⚡ Security vulnerabilities ⚡ Compliance issues ⚡ Inefficiencies from disparate systems and processes I understand the frustration. You’re seeing the signs: 🚦 Data silos growing 🚦Inconsistent security policies 🚦 Weak IT governance 🚦 Rising shadow IT instances Despite recognizing the risks, your IT department might have tried to mitigate this by: ❌ Attempting to monitor all applications manually ❌ Setting up stricter IT approval processes ❌ Introducing a few sanctioned tools ❌ Conducting sporadic security audits ❌ But it hasn’t yielded the desired results, has it? I’ve been there. With over 20 years of experience in IT operational excellence, I’ve seen firsthand how shadow IT can derail a cohesive IT strategy. Here's what I’ve learned: a comprehensive, user-centric approach can transform this chaos into clarity. Here’s how you can regain control: ➡️ 𝗔𝘀𝘀𝗲𝘀𝘀𝗺𝗲𝗻𝘁 𝗮𝗻𝗱 𝗜𝗻𝘃𝗲𝗻𝘁𝗼𝗿𝘆: Identify all unauthorized tools and their risks. ➡️ 𝗦𝘁𝗮𝗸𝗲𝗵𝗼𝗹𝗱𝗲𝗿 𝗘𝗻𝗴𝗮𝗴𝗲𝗺𝗲𝗻𝘁: Understand why employees turn to shadow IT. ➡️ 𝗣𝗼𝗹𝗶𝗰𝘆 𝗗𝗲𝘃𝗲𝗹𝗼𝗽𝗺𝗲𝗻𝘁: Create clear, enforceable IT policies. ➡️ 𝗨𝘀𝗲𝗿-𝗖𝗲𝗻𝘁𝗿𝗶𝗰 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀: Provide sanctioned alternatives that meet user needs. ➡️ 𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗮𝗻𝗱 𝗘𝗻𝗳𝗼𝗿𝗰𝗲𝗺𝗲𝗻𝘁: Implement solutions to track and ensure compliance. ➡️ 𝗘𝗱𝘂𝗰𝗮𝘁𝗶𝗼𝗻 𝗮𝗻𝗱 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴: Educate employees on the risks and foster collaboration. Imagine an IT environment where security is tight, compliance is automatic, and efficiency is the norm. What steps will you take today to reclaim your IT infrastructure? Always Remember: “Leading with empathy and inspiring excellence can turn challenges into opportunities.” #ITExcellence #ShadowIT #OperationalExcellence #ITStrategy #TechLeadership

Here’s a typical summary of how we Alchemmy Security & Resilience go about testing a SOC/SIEM capability. Endpoint security example: 1: unit test the most commonly used techniques sourced from actionable Threat Intelligence to inject code into memory- execute that code - escalate privilege - steal credentials - laterally move. All the telemetry generated by the above techniques are subsequently queried from the SIEM platform (automated) and mapped by event ID to validate successful detection. At this point, we know the SIEM has the data (or not) but is it firing detection rules/content packs? 2: Support SOC engineers with any gaps in detection rule logic and retest. Validate success, move to the next. Automating a lot of this can reduce cost and increase efficiency. Doing this continuously in a factory like approach provides a continuous quality assurance function for your SOC. The benefits of this are significant in terms of measuring value, quality and efficacy of your SOC ⚠️ avoid MITRE ATT&CK bingo! In other words don’t waste time and precious resources trying to test every possible technique in the MITRE matrix. It’s futile. Focus only on ‘choke points’ which are the common tactics where adversaries profit the most. These are; -Command execution -Privilege escalation -Defense evasion -Credential access If you want to get really evasive? As in novel techniques and known unknowns? This is where Red Teams step in and flex their muscles 💪 #ciso #soc #MITRE #attacksimulation