When doing their work, cybersecurity professionals often come across situations that put their skills to the test. And sometimes those tests have far less to do with technology or business than with questions of ethics. When cyber professionals discover vulnerabilities while performing penetration tests or some other security-related work, is it OK to disclose those vulnerabilities publicly? What happens if system owners are made aware of issues but decide to ignore them? And at which point, while testing systems containing private information, do cyber professionals reach a line they should not cross? These questions were part of a lively panel discussion today at the (ISC)2 Security Congress 2019, taking place in Orlando this week. The session, “Ethics Dilemmas Information Security

The spotlight was on safety at the kickoff this morning of (ISC)² Security Congress 2019, taking place this week in Orlando. First, (ISC)² CEO David Shearer talked about the role that association members have in protecting society through their cybersecurity work. Then, Capt. Chesley Burnett "Sully" Sullenberger, the pilot of flight 1549, which landed on the Hudson River in January 2009, related the events of that day and how he and his co-pilot, Jeff Skiles, safely landed their U.S. Airways Airbus with everyone aboard surviving the event. Shearer spent much of his kickoff address on the importance of abstracting what cybersecurity professionals do from the very users they are protecting. “Our customers’ users simply want to be able to do

It is widely known within the cybersecurity field that there is a severe talent shortage. Organizations across all industries are facing major challenges in staffing their security teams to protect themselves from cyber threats. Healthcare, along with finance and retail, is one of the most commonly-targeted industries by cybercriminals. As the (ISC)2 Cybersecurity Workforce Study revealed, the deficit of cybersecurity professionals has reached critical levels, at nearly 3 million worldwide. According to the March 2018 McAfee Labs Threat Report, healthcare is the most targeted of any sector for cybersecurity attacks. Ransomware attacks, specifically in the healthcare sector, increased by 210 percent between 2016 and 2017. Several academic programs have begun to address filling the workforce pipeline issue. Through its International

by Adam M. Lechnos, CISSP Payment Card Industry Data Security Standards or PCI DSS, are a set of 12 requirements with over 300 controls which apply to any organization which stores, processes or transmits credit card data. Today, I will attempt to add some clarity around PCI compliance within AWS. Concepts and practices were sourced from the referenced document below and here I will break it down further. I do suggest you first read the Architecting for PCI DSS Scoping and Segmentation on AWS and come back to enhance your understanding of the methods being applied and its rationale. For a quick primer on PCI-DSS, please refer to the council's overview PDF.Referenced from: https://d1.awsstatic.com/whitepapers/pci-dss-scoping-on-aws.pdf Infrastructure Services Infrastructure services such as EC2 require the

When M&A auditors look at a target company’s tangible assets, in the vast majority of cases that includes cybersecurity. In a new (ISC)² study about the impact of cybersecurity in M&A, 95% of respondents say they consider cybersecurity infrastructure “a tangible part” of the value calculation. The stronger the infrastructure, including soft assets such as risk management policies and security awareness training programs, the higher a target company’s value will be, according to 82% of respondents. If an audit reveals weak security practices, 52% of respondents would view the cybersecurity program as a liability. What this means for organizations considering a sale is clear: If you take your cybersecurity program lightly, it is bound to drive down the sale price.