Thursday, July 21, 2016

Just Like I Predicted...they want Clarity of Strengths and Strong Emotional Intelligence




For a while now, I’ve been sharing posts about Strengths and Emotional Intelligence.  I just posted a $200,000 - $300,000+ Chief Information Security Job for a client of mine located in downtown Chicago, IL.  For someone, this is their dream career move.

The connection between this CISO Job and Strengths and Emotional Intelligence is that during my conversation with my client’s executive leadership earlier this week, I was able to ask my client what characteristics, traits and skills they wanted to see in their Cybersecurity Leadership.

It didn’t take long for my client to tell me that the last CISO they hired operated like the “Security Police”.  

My client wants a CISO who can adapt to and understand their business and the needs of their business leaders as well as customers. This request will require a CISO who can listen, who is persuasive, a CISO who is collaborative and a CISO who is both strategic and visionary. 

My client wants a CISO who can see down the road in order to build a Cybersecurity program that isn’t caught by surprise because the CISO could only see what is in front of them today and they couldn’t see threats that might occur in the future.

Futuristic is the Strength a CISO would have if they are truly visionary.  Strategic is the Strength a CISO would have if they are strategically minded rather than being tactical.  In order to lead, guide and mentor a team, the CISO my client wants would have a mix of Relationship Building, Influencing and Executing Strengths.

The Emotional Intelligence piece of this discussion came to the surface when my client described how they wanted their new CISO to interact with and engage with senior executives in their company as well as senior executives with the clients they serve.  While one’s Strengths are hard wired, Emotional Intelligence skills can be developed and coached.

It is the occasion when I have this kind of CISO search on my desk that I have to go out and find someone who is ready for the job.  Lots of people have the technical skills to perform well in a job as significant as the one that sits on my desk but only a small portion of people who are qualified to be effective CISOs have the rest of the skills, traits and characteristics my client is seeking.

This is why I consistently share information about Strengths and Emotional Intelligence.  

Just in case you wanted to know!



Security Jobs: Manager, Cybersecurity Governance, Risk Management, Compliance, Chicago, Illinois


Manager, Cybersecurity Manager, Governance, Risk Management, Compliance
Location: Chicago, IL
Compensation: Mid $100s
Relocation: Strongly Prefer Local Candidates

SecurityRecruiter.com has been engaged to identify, recruit and deliver a Cybersecurity Manager who will oversee Governance, Risk Management and Compliance for our downtown Chicago, IL client.  The GRC Manager will work closely with the CISO to provide guidance to all activities in the organization that fall into the realm of cyber risk.


Our client’s organization is a hierarchical environment driven by procedures and processes.  Candidates who prefer structure as opposed to a start-up-like environment will appreciate this global organization.  The candidate our client seeks will demonstrate a passion for cyber risk through thought leadership, problem solving abilities and their ability to work with cross-functional teams across the organization.


This role requires a GRC expert who possesses 3-6 years of experience in the field of Compliance, IT Risk Management, Information Security, Privacy and more.  Working knowledge of ISO 27001 / ISO 27002 is appreciated.

Certifications to include the CISM, CISSP and/or CRISC and others appreciated.

This is an abbreviated job description.  A full job description will be shared with qualified candidates.


Security Jobs: Chief Information Security Officer, Chicago, IL


Chief Information Security Officer
Location: Chicago, IL
Compensation: Executive Package
Relocation: Strongly Prefer Local Candidates


SecurityRecruiter.com has been engaged to identify, recruit and deliver a Chief Information Security Officer to a downtown Chicago, IL client.  The CISO will have a 10+ year track record of growth that includes information security subjects and related technology, risk management, and the ability to lead a team by leveraging strong business acumen and healthy emotional intelligence and social intelligence.

Our client’s organization is a hierarchical environment driven by procedures and processes.  Candidates who prefer structure as opposed to a start-up-like environment will appreciate this global organization.  

This role reports to a highly intelligent leader who strives to maximize the customer’s experience through calculated risk taking, high integrity and setting high expectations that are followed by exceptional results.


This role requires a CISO who can provide leadership to a team of analysts, engineers, architects and managers.  The CISO will demonstrate strong understanding of emerging cybersecurity threats, data privacy laws and risk management. He / She will be visionary and strategic and will be an exceptional communicator who can work effectively with senior executives and clients.

Certifications to include the C|CISO, CISSP, CISM, CISA and GIAC credentials are appreciated along with a BA/BS 4-year college degree.

This is an abbreviated job description.  A full job description will be shared with qualified candidates.

Jeff Snyder’s SecurityRecruiter.com, Security Recruiter Blog, 719.686.8810

Cybersecurity Vulnerability and Patch Report for July 17, 2016


CYBERSECURITY VULNERABILITY

AND PATCH REPORT

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

 

 


Important Security Updates

Adobe Reader: Adobe has released version 2015.017.20050. Updates are available through the program’s Help menu/Check for Updates or from Adobe’s website.
Adobe Flash Player: Adobe has released version 22.0.0.209 to fix at least 52 vulnerabilities. Updates are available from Adobe’s website.
Comodo Free Firewall: Comodo has released version 8.4.0.5076 of its free firewall. Updates are available from Comodo’s website.
Comodo Internet Security: Comodo has released version 8.4.0.5076 of its free security suite. Updates are available from Comodo’s website.
Microsoft Patch Tuesday: Microsoft’s Patch Tuesday released 11 updates to address at least 40 vulnerabilities, some of which are highly critical within Windows operating systems, Internet Explorer, Office, and other Microsoft products.  Additional information is available at Microsoft’s website.

Current Software Versions

Adobe Flash 22.0.0.209
Adobe Reader DC 2015.017.20050
Dropbox 6.4.14 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 47.0.1 [Windows]
Google Chrome 51.0.2704.106
Internet Explorer 11.0.9600.18161
Java SE 8 Update 91 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]
Safari 9.1 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.25.0.106

For Your IT Department

Cisco Multiple Products: Cisco reports patched vulnerabilities in its Cisco Adaptive Security Appliance (ASA) Software Releases 8.2 through 9.4.3.3, Network Convergence System 6000, ASR 5000 Series prior to versions 19.4 and 20.1, WebEx Meetings Server versions 2.6 and 2.7, Meeting Server Software releases 1.7 through 1.9.  Apply updates. Cisco also reportts an unpatched vulnerability in its Cisco IOS and IOS XE Software that support BGP.  There are workarounds available for this vulnerability. Cisco also reports an unpatched vulnerability in its Cisco IOS XR Software Release 6.0.1.BASE. There are no workarounds available. Additional details are available at Cisco’s website.
Juniper Networks: Juniper reports its Juno OS has been updated to fix a critical security vulnerability concerning its IKE/IPSec certificates.  Additional details are available at Juniper’s website.
Novell Open Enterprise Server: Novell has released an update to fix multiple vulnerabilities in its Open Enterprise Server versions 11.2 and 2015 (OES 11 SP2 and OES 2015).  For version 11.2 apply patch oes11sp2-MozillaFirefox-10950. For version 2015 apply patch oes2015-MozillaFirefox-10951.  Additional details are available at Novell’s website.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2016 Citadel Information Group. All rights reserved.

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



Cybersecurity News for the Week of July 17, 2016

 

 

CYBERSECURITY NEWS

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP


Individuals at Risk

Cyber Update

Microsoft Update Doesn’t Quite Fix Decades-Old Printer Bug in Windows; Will Warn Users Who Can Say No: Printers. They can be the bane of every home office or small business, but not just when they jam or run out of paper or toner. They can also spread malware to systems connected to them. PCMagazine, July 14, 2016
Adobe, Microsoft Patch Critical Security Bugs: Adobe has pushed out a critical update to plug at least 52 security holes in its widely-used Flash Player browser plugin, and another update to patch holes in Adobe Reader. Separately, Microsoft released 11 security updates to fix vulnerabilities more than 40 flaws in Windows and related software. KrebsOnSecurity, July 13, 2016

Cyber Warning

Pokemon Go – Unofficial versions contain Trojans that silently click on porn ads you don’t even see: Security firms have repeated warnings that unofficial versions of Pokemon Go are likely tainted with spyware or trojans. TheRegister, July 15, 2016
‘Pokemon GO’ Malware Latest News & Update: Avoid Pirated Versions and Wait For Official Game Release: News headlines have been filled with “Pokemon Go” related bits but mostly for all the wrong reasons. With the game released only to the Australia, New Zealand and the U.S., gamers from other regions have resorted to alternative but risky measures by trying to get hold of a copy from unofficial sites. GAMEnGuide, July 15, 2016

Cyber Defense

Two-factor authentication (2FA): why you should care: Online security can feel a bit like an arms race sometimes, and it may seem like there’s always something new to keep track of. But many of the more tried-and-true security principles and methods have been around for a while, they just take a while to become more mainstream. NakedSecurity, June 27, 2016

Information Security Management in the Organization

Information Security Governance

What SMBs Need To Know About Security But Are Afraid To Ask: A comprehensive set of new payment protection resources from the PCI Security Standards Council aims to help small- and medium-sized businesses make security a priority. DarkReading, July 14, 2016
The Value of a Hacked Company: Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised. KrebsOnSecurity, July 14, 2016
The Information Security Leader, Part 2: Two Distinct Roles of a CISO: In the original “Star Trek” television series, second officer and chief engineer Montgomery “Scotty” Scott was invaluable to the mission of the Starship Enterprise — not only down in the engine room getting his hands dirty, but also up on the bridge as a senior officer supporting Captain Kirk. SecurityIntellegence, July 12, 2016

Cyber Defense

Gartner: Cybersecurity control a concern for digital businesses: Digitization requires big changes to companies’ strategic processes, and security is no different: In a recent report, Gartner predicts that 60% of digital businesses will experience major service failures by 2020 due to the inefficacy of their IT security teams to handle digital risks. SearchCompliance, July 15, 2016
Key Measures to Prevent, Recover from Ransomware: Ransomware is, of course, malicious software that can do terrible harm your company. Biz Coach Terry Corbell Cites Citadel’s Kimberly Pease. The Biz Coach, July 10, 2016

Cyber Update

CISCO PATCHES DOS FLAW IN NCS 6000 ROUTERS: Cisco Systems today released patches for two products, including one for a vulnerability rated a high criticality in Cisco IOS XR for the Cisco Network Convergence System series routers. ThreatPost, July 14, 2016
Crypto flaw made it easy for attackers to snoop on Juniper customers: As if people didn’t already have cause to distrust the security of Juniper products, the networking gear maker just disclosed a vulnerability that allowed attackers to eavesdrop on sensitive communications traveling through customers’ virtual private networks. ars technica, July 14, 2016

Cyber Security in Society

Cyber Crime

More Than $2 Million Stolen by Hackers in Taiwan ATM Heist: Three people, including a Russian national, stole 70 million Taiwan dollars ($A2.9 million) from 34 ATMs in Taiwan at the weekend. TechWorm, July 15, 2016
Cybercrime Overtakes Traditional Crime in UK: In a notable sign of the times, cybercrime has now surpassed all other forms of crime in the United Kingdom, the nation’s National Crime Agency (NCA) warned in a new report. It remains unclear how closely the rest of the world tracks the U.K.’s experience, but the report reminds readers that the problem is likely far worse than the numbers suggest, noting that cybercrime is vastly under-reported by victims. KrebsOnSecurity, July 15, 2016
Omni Hotels was hit by point-of-sale malware: Omni Hotels & Resorts has reported that point-of-sale systems at some of its properties were hit by malware targeting payment card information. Computerworld, July 11, 2016

Cyber Underworld

For Sale on Dark Web: Source Code Allegedly Stolen From Large Healthcare Software Developer: “The Dark Overlord,” a hacker who has been attempting to sell batches of personal and medical records supposedly stolen from U.S. healthcare organizations, is claiming a new victim: a large healthcare software developer (see Here’s How a Hacker Extorts a Clinic). BankInfoSecurity, July 14, 2016
DIRT CHEAP STAMPADO RANSOMWARE SELLS ON DARK WEB FOR $39: Dirt cheap ransomware selling for as little as $39 on the dark web has security experts concerned the low price coupled with its potency could trigger a wave of new infections. ThreatPost, July 14, 2016

Cyber Law

Microsoft wins landmark appeal over seizure of foreign emails: A federal appeals court on Thursday said the U.S. government cannot force Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States. Reuters, July 14, 2016
Europe’s New Privacy Shield to Replace Safe Harbor; Will US Mass Surveillance Practices Derail It?: Businesses on both sides of the Atlantic have been breathing a sigh of relief over the July 12 launch of the EU-U.S. data transfer agreement known as the Privacy Shield. BankInfoSecurity, July 13, 2016

Cyber Gov

China suspected in FDIC breach; Agency CIO accused of covering it up amidst systemic mismanagement. A report published by the House Committee on Science, Space and Technology today found that hackers purported to be from China had compromised computers at the Federal Deposit Insurance Corporation repeatedly between 2010 and 2013. Backdoor malware was installed on 12 workstations and 10 servers by attackers—including the workstations of the chairman, chief of staff, and general counsel of the FDIC. But the incidents were never reported to the US Computer Emergency Response Team (US-CERT) or other authorities and were only brought to light after an Inspector General investigation into another serious data breach at the FDIC in October of 2015. ars technica, July 13, 2016

Cyber Politics

Cybersecurity Not Stand-Alone Issue in Trump v. Clinton: July 14 —Donald Trump and Hillary Clinton are unlikely to make cybersecurity a centerpiece of their campaigns and probably won’t mention the issue during the party conventions. Bloomberg, July 14, 2016

Financial Cyber Security

Card fraud now hits nearly one third of consumers worldwide: Imagine folded, chopped, and mutilated plastic up to the sky: that’s the pile being generated by cardholder fraud these days. NakedSecurity, July 15, 2016

HIPAA

OCR Enforcement Action Against Business Associate for HIPAA Security Violations Includes $650,000 Payment: Despite the fact that Business Associates have been directly subject to and liable under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) since February 18, 2010 1 the Department of Health & Human Services, Office for Civil Rights (OCR), announced June 30 that it has entered into its first resolution agreement with a HIPAA Business Associate – sending a clear message that OCR is holding Business Associates accountable and expects these entities to understand and comply with their HIPAA obligations. NationalReview, July 13, 2016
HHS: Healthcare groups must report all ransomware attacks: The Federal Health and Human Services Department (HHS) issued guidelines this week that could require hospitals and doctor offices to notify HHS if they are victimized by a ransomware attack. SCMagazine, July 14, 2016

Cyber Research

ACADEMICS BUILD EARLY-WARNING RANSOMWARE DETECTION SYSTEM: While most of the discussion around ransomware is rightly so about the unabated stampede of new strains and variations on existing samples, relatively little discourse focuses on detection beyond antivirus and intrusion prevention systems. ThreatPost, July 14, 2016

Cyber Miscellany

Why You Should Believe in the Digital Afterlife: A professor of neuroscience says it will one day be possible to live on in a computer after death. The Atlantic, July 14, 2016

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810

Monday, July 11, 2016

Security Jobs: Cybersecurity Operations Manager, Chicago, IL



For this role, you'll have a background in Security Operations, Networks, Penetration Testing, Security Engineering and related technologies.

You'll manage a group of technically skilled engineers in a company that will depend on you to keep it's cyber-focused operations up and running.



Security Jobs: Application Security Engineer, Chicago, IL


This role is a hands-on Application Security Engineer role.  The successful candidate will have a coding background.  You'll be protecting the company's most important assets when you take on this role.




Security Jobs: Threat Intelligence Manager Cybersecurity, New York City, NY

I'm working on writing up multiple job descriptions.  This role in Boston or New York is one of them.

Local candidates are preferred.  

This role will oversee all areas of Cyber Threats and the associated Cyber Risks that come from these threats across a global organization. 

If you've wanted to take your career from a focus on Cyber Security to a threat on Enterprise Cyber Threats and Enterprise Cyber Risk, this could be the next step for your career development.




Security Jobs: Threat Intelligence Manager Cybersecurity, Boston, MA


I'm working on writing up multiple job descriptions.  This role in Boston or New York is one of them.

Local candidates are preferred.  

This role will oversee all areas of Cyber Threats and the associated Cyber Risks that come from these threats across a global organization. 

If you've wanted to take your career from a focus on Cyber Security to a threat on Enterprise Cyber Threats and Enterprise Cyber Risk, this could be the next step for your career development.



Security Jobs: Cybersecruity Leadership, CISO, Chicago, IL




I'm working on writing up multiple job descriptions.  This role in Chicago is one of them. 

Local candidates are preferred.  This role exists in a highly structured, hierarchical environment.  

This role will likely be called Chief Information Security Officer but that will depend on who walks through the door and who earns the position.



Security Jobs: Governance, Risk and Compliance Management, Chicago, IL


I'm working on writing up multiple job descriptions.  This role in Chicago is one of them. Local candidates are preferred.  This manager will have a team of people who are working on Governance, Risk and Compliance topics for a global company.



Cybersecurity Vulnerability and Patch Report for July 10, 2016


CYBERSECURITY VULNERABILITY

AND PATCH REPORT

FROM OUR FRIENDS AT CITADEL INFORMATION GROUP

Important Security Updates

Dropbox: Dropbox has released version 6.4.14 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel’s warning below]
Opera: Opera has released version 38.0.2220.41. Updates are available from within the browser or from Opera’s website.

Current Software Versions

Adobe Flash 22.0.0.192
Adobe Reader DC 2015.016.20039
Dropbox 6.4.14 [Citadel warns against relying on security of Dropbox or other cloud-based file exchange systems. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the master Dropbox [or other] password be at least 15 characters long and different from other passwords.]
Firefox 47.0.1 [Windows]
Google Chrome 51.0.2704.106
Internet Explorer 11.0.9600.18161
Java SE 8 Update 91 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.9 [Citadel recommends removing QuickTime. On April 14, US-CERT advised Microsoft Windows users to remove QuickTime. This followed a report in ars technica that Apple has no plans to update the Windows app despite at least two reliable QuickTime vulnerabilities that threaten Windows users who still have the program installed.]
Safari 9.1 [Mac OS X Mavericks, Yosemite, El Capitan]
Skype 7.25.0.106

For Your IT Department

Cisco Multiple Products: Cisco reports patched vulnerabilities in its Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway Series software versions X8.1 and later, and AMP Threat Grid Appliance running a software version prior to 2.1.1.  Apply updates. Cisco also reports unpatched vulnerabilities in its Cisco Prime Infrastructure versions 3.1.0 and prior. There are no workarounds available. Additional details are available at Cisco’s website.
McAfee Network Data Loss Prevention: McAfee has released security updates for its Network Data Loss Prevention to fix three vulnerabilities.  Update with Network Data Loss Prevention (NDLP) Hotfix 9.3.4.1.2.  Additional details are available at McAFee’s website.
Novell Open Enterprise Server: Novell has released an update to fix multiple vulnerabilities in its Open Enterprise Server versions 11.2 and 2015 (OES 11 SP2 and OES 2015).  For version 11.2 apply patch oes11sp2-xen-10881. For version 2015 apply patch oes2015-xen-10882.  Additional details are available at Novell’s website.
Teamviewer:  TeamViewer has released version 11.0.62308. Updates are available from TeamViewer’s website.
If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2016 Citadel Information Group. All rights reserved.

Jeff Snyder’s, SecurityRecruiter.comJeff Snyder CoachingSecurity Recruiter Blog, 719.686.8810



SecurityRecruiter.com's Security Recruiter Blog