computer security

Auto Added by WPeMatico

Duo’s Wendy Nather to talk security at TC Sessions: Enterprise

When it comes to enterprise security, how do you move fast without breaking things?

Enter Duo’s Wendy Nather, who will join us at TC Sessions: Enterprise in San Francisco on September 5, where we will get the inside track on how to keep enterprise networks secure without slowing growth.

Nather is head of advisory CISOs at Duo Security, a Cisco company, and one of the most respected and trusted voices in the cybersecurity community as a regular speaker on a range of topics, from threat intelligence to risk analysis, incident response, data security and privacy issues.

Prior to her role at Duo, she was the research director at the Retail ISAC, and served as the research director of the Information Security Practice at independent analyst firm 451 Research.

She also led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation — now UBS.

Nather also co-authored “The Cloud Security Rules,” and was listed as one of SC Magazine’s Women in IT Security “Power Players” in 2014.

We’re excited to have Nather discuss some of the challenges startups and enterprises face in security — threats from both inside and outside the firewall. Companies large and small face similar challenges, from keeping data in to keeping hackers out. How do companies navigate the litany of issues and threats without hampering growth?

Who else will we have onstage, you ask? Good question! We’ll be joined by some of the biggest names and the smartest and most prescient people in the industry, including Bill McDermott at SAP, Scott Farquhar at Atlassian, Julie Larson-Green at Qualtrics, Aaron Levie at Box and Andrew Ng at Landing AI and many, many more. See the whole agenda right here.

Early-bird tickets are on sale right now! For just $249 you can see Nather and these other awesome speakers live at TC Sessions: Enterprise. But hurry, early-bird sales end on August 9; after that, prices jump up by $100. Book here.

If you’re a student on a budget, don’t worry, we’ve got a super-reduced ticket for just $75 when you apply for a student ticket right here.

Enterprise-focused startups can bring the whole crew when you book a Startup Demo table for just $2,000. Each table gives you a primo location to be seen by attendees, investors and other sponsors, in addition to four tickets to enjoy the show. We only have a limited amount of demo tables and we will sell out. Book yours here.

Powered by WPeMatico

UK to toughen telecoms security controls to shrink 5G risks

Amid ongoing concerns about security risks posed by the involvement of Chinese tech giant Huawei in 5G supply, the U.K. government has published a review of the telecoms supply chain, which concludes that policy and regulation in enforcing network security needs to be significantly strengthened to address concerns.

However, it continues to hold off on setting an official position on whether to allow or ban Huawei from supplying the country’s next-gen networks — as the U.S. has been pressurizing its allies to do.

Giving a statement in parliament this afternoon, the U.K.’s digital minister, Jeremy Wright, said the government is releasing the conclusions of the report ahead of a decision on Huawei so that domestic carriers can prepare for the tougher standards it plans to bring in to apply to all their vendors.

“The Review has concluded that the current level of protections put in place by industry are unlikely to be adequate to address the identified security risks and deliver the desired security outcomes,” he said. “So, to improve cyber security risk management, policy and enforcement, the Review recommends the establishment of a new security framework for the UK telecoms sector. This will be a much stronger, security based regime than at present.

“The foundation for the framework will be a new set of Telecoms Security Requirements for telecoms operators, overseen by Ofcom and government. These new requirements will be underpinned by a robust legislative framework.”

Wright said the government plans to legislate “at the earliest opportunity” — to provide the regulator with stronger powers to to enforcement the incoming Telecoms Security Requirements, and to establish “stronger national security backstop powers for government.”

The review suggests the government is considering introducing GDPR-level penalties for carriers that fail to meet the strict security standards it will also be bringing in.

First policy response will be ‘soft’, common cybersecurity standards. Then regulations, with strict standards and #GDPR like fines. New powers allowing to compel telecoms to do something. And work to increase diversity. pic.twitter.com/nBLWneFUDK

— Lukasz Olejnik (@lukOlejnik) July 22, 2019

“Until the new legislation is put in place, government and Ofcom will work with all telecoms operators to secure adherence to the new requirements on a voluntary basis,” Wright told parliament today. “Operators will be required to subject vendors to rigorous oversight through procurement and contract management. This will involve operators requiring all their vendors to adhere to the new Telecoms Security Requirements.

“They will also be required to work closely with vendors, supported by government, to ensure effective assurance testing for equipment, systems and software, and to support ongoing verification arrangements.”

The review also calls for competition and diversity within the supply chain — which Wright said will be needed “if we are to drive innovation and reduce the risk of dependency on individual suppliers.”

The government will therefore pursue “a targeted diversification strategy, supporting the growth of new players in the parts of the network that pose security and resilience risks,” he added.

“We will promote policies that support new entrants and the growth of smaller firms,” he also said, sounding a call for security startups to turn their attention to 5G.

Government would “seek to attract trusted and established firms to the UK market,” he added — dubbing a “vibrant and diverse telecoms market” as both good for consumers and for national security.

“The Review I commissioned was not designed to deal only with one specific company and its conclusions have much wider application. And the need for them is urgent. The first 5G consumer services are launching this year,” he said. “The equally vital diversification of the supply chain will take time. We should get on with it.”

Last week two U.K. parliamentary committees espoused a view that there’s no technical reason to ban Huawei from all 5G supply — while recognizing there may be other considerations, such as geopolitics and human rights, which impact the decision.

The Intelligence and Security Committee also warned that what it dubbed the “unnecessarily protracted” delay in the government taking a decision about 5G suppliers is damaging U.K. relations abroad.

Despite being urged to get a move on the specific issue of Huawei, it’s notable that the government continues to hold off. Albeit, a new prime minister will be appointed later this week, after votes of Conservative Party members are counted — which may be contributing to ongoing delay.

“Since the US government’s announcement [on May 16, adding Huawei and 68 affiliates to its Entity List on national security grounds] we have sought clarity on the extent and implications but the position is not yet entirely clear. Until it is, we have concluded it would be wrong to make specific decisions in relation to Huawei,” Wright said, adding: “We will do so as soon as possible.”

In a press release accompanying the telecoms supply chain review the government said decisions would be taken about high risk vendors “in due course.”

Earlier this year a leak from a meeting of the U.K.’s National Security Council suggested the government was preparing to give an amber light to Huawei to continue supplying 5G — though limiting its participation to non-core portions of networks.

The Science & Technology Committee also recommended the government mandate the exclusion of Huawei from the core of 5G networks.

Wright’s statement appears to hint that that position remains the preferred one — barring a radical change of policy under a new PM — with, in addition to talk of encouraging diversity in the supply chain, the minister also flagging the review’s conclusion that there should be “additional controls on the presence in the supply chain of certain types of vendor which pose significantly greater security and resilience risks to UK telecoms.”

“Additional controls” doesn’t sound like a euphemism for an out-and-out ban.

In a statement responding to the review, Huawei expressed confidence that it’s days of supplying U.K. 5G are not drawing to a close — writing:

The UK Government’s Supply Chain Review gives us confidence that we can continue to work with network operators to rollout 5G across the UK. The findings are an important step forward for 5G and full fibre broadband networks in the UK and we welcome the Government’s commitment to “a diverse telecoms supply chain” and “new legislation to enforce stronger security requirements in the telecoms sector”. After 18 years of operating in the UK, we remain committed to supporting BT, EE, Vodafone and other partners build secure, reliable networks.”

The evidence shows excluding Huawei would cost the UK economy £7 billion and result in more expensive 5G networks, raising prices for anyone with a mobile device. On Friday, Parliament’s Intelligence & Security Committee said limiting the market to just two telecoms suppliers would reduce competition, resulting in less resilience and lower security standards. They also confirmed that Huawei’s inclusion in British networks would not affect the channels used for intelligence sharing.

A spokesman for the company told us it already supplies non-core elements of U.K. carriers’ EE and Vodafone’s network, adding that it’s viewing Wright’s statement as an endorsement of that status quo.

While the official position remains to be confirmed, all the signals suggest the U.K.’s 5G security strategy will be tied to tightened regulation and oversight, rather than follow a U.S. path of seeking to shut out Chinese tech giants.

Commenting on the government’s telecoms supply chain review in a statement, Ciaran Martin, CEO of the U.K.’s National Cyber Security Centre, said: “As the UK’s lead technical authority, we have worked closely with DCMS [the Department for Digital, Culture, Media and Sport] on this review, providing comprehensive analysis and cyber security advice. These new measures represent a tougher security regime for our telecoms infrastructure, and will lead to higher standards, much greater resilience and incentives for the sector to take cyber security seriously.

“This is a significant overhaul of how we do telecoms security, helping to keep the UK the safest place to live and work online by ensuring that cyber security is embedded into future networks from inception.”

Although, tougher security standards for telecoms combined with updated regulations that bake in major fines for failure suggest Huawei will have its work cut out not to be excluded by the market, as carriers will be careful about vendors as they work to shrink their risk.

Earlier this year a report by an oversight body that evaluates its approach to security was withering — finding “serious and systematic defects” in its software engineering and cybersecurity competence.

Powered by WPeMatico

For pen testing firm IOActive, security is cultural not transactional

IOActive may not be a household name but you almost certainly know its work.

The Seattle-headquartered company has been behind some of the most breathtaking hacks in the past decade. Its researchers have broken into in-flight airplanes from the ground and reverse engineered an ATM to spit out gobs of cash. One of the company’s most revered hackers discovered a way to remotely shock a pacemaker out of rhythm. And remember that now-infamous hack that remotely killed the engine of a Jeep? That was IOActive, too.

If it’s connected, they will bet that they can hack it.

IOActive has made a name for itself with its publicly reported findings, but its bread and butter is helping its corporate customers better understand how they approach security.

Since its founding more than two decades ago, the penetration testing and ethical hacking company now serves customers mostly in the Global 1000 largest companies to help assess and test their security posture.

“You can have the absolute most sophisticated alarm in the entire world, and I guarantee our team can break in,” said Jennifer Steffens, IOActive’s chief executive, in a call with TechCrunch. “But if you left your front door unlocked lock, hackers are going to walk right through”

“Don’t pay us to show you how to break into the alarm before someone learns how to lock the door,” she said.

Powered by WPeMatico

AI security startup Darktrace’s CEO defeats buzzword bingo with trust and transparency

It takes a lot of trust to allow a company to come in and install a mystery box on their network to monitor for threats. It’s like inviting in a security guard to sit in your living room to make sure nobody breaks in.

Yet that’s exactly what Darktrace does. (The box, not the security guard.)

The Cambridge U.K.-founded company, now with a second headquarters in San Francisco, assumes that any network can be breached. Instead of looking at the perimeter of a network, Darktrace uses artificial intelligence (AI) and machine learning to scan and identify security weaknesses and malicious traffic inside a company’s network.

Traditional network monitoring typically uses signature-based threat detection of matching against known malicious files, but can be easily modified to evade detection. Instead, Darktrace builds up a profile of the network to understand what the baseline “normal” looks like so it can spot and identify potential issues, like large amounts of data exfiltration or suspect devices.

But how do you win over those who see a sea of meaningless buzzwords? How can you differentiate between the smoke and mirrors and the real deal?

“No one wants the black box making decisions without them knowing what it’s doing,” said Nicole Eagan, Darktrace’s co-founder and chief executive, in a call with TechCrunch.

“So, let them have visibility,” she said.

Darktrace’s founders have roots in the U.K. and U.S. intelligence, where they took what they knew of the cybersecurity threats to the private sector to where the new battleground opened up. In the past half-decade of its existence, the company has gained major clients on its roster — from telcos to banks, tech giants and car makers — supported by 900 staff in over 40 offices around the world.

About a quarter of its customers are in financial services, said Eagan. But it takes a lot for the heavily regulated companies to trust a mystery device on a company’s network where the data and security, like financial services, is highly regulated.

Powered by WPeMatico

How Marcin Kleczynski went from message boards to founding anti-malware startup Malwarebytes

Marcin Kleczynski is a shining example of the American dream.

A Polish-born immigrant turned naturalized citizen, Kleczynski grew up in the Chicago suburbs spending much of his time on computers and the early days of the world wide web. He couldn’t afford to buy computer games; instead, he downloaded them from the internet — and usually malware along with it. Frustrated that his computer’s anti-malware didn’t prevent the infection, he took to seeking help from security message boards to troubleshoot and remove the malware by hand.

That’s where Kleczynski thought he could do better, and so he founded Malwarebytes .

In early 2008, his company’s first anti-malware product was released. To no surprise, the very people on the message boards who helped Kleczynski recover his computer were the same championing his debut software. So much so that Kleczynski hired one of the people from the message board who helped him rid the malware from his computer as one of his first employees. Within months, Malwarebytes was turning over a couple of hundred thousand dollars, Kleczynski told TechCrunch.

By August came the question of whether he would run his company or go to university.

“After about a 15-second conversation with my mother, she quickly informed me that I would be attending university,” he said.

And so he did both.

Fast-forward to today, the company is a multi-million dollar anti-malware giant serving 150 million consumer customers and 50,000 paying small to medium-sized business and enterprise customers from its five offices — two in the U.S., as well as Estonia, Ireland and Singapore.

Powered by WPeMatico

Security startup Bugcrowd on crowdsourcing bug bounties: ‘Cybersecurity is a people problem’

For a cybersecurity company, Bugcrowd relies much more on people than it does on technology.

For as long as humans are writing software, developers and programmers are going to make mistakes, said Casey Ellis, the company’s founder and chief technology officer in an interview TechCrunch from his San Francisco headquarters.

“Cybersecurity is fundamentally a people problem,” he said. “Humans are actually the root of the problem,” he said. And when humans made coding mistakes that turn into bugs or vulnerabilities that be exploited, that’s where Bugcrowd comes in — by trying to mitigate the fallout before they can be maliciously exploited.

Founded in 2011, Bugcrowd is one of the largest bug bounty and vulnerability disclosure companies on the internet today. The company relies on bug finders, hackers, and security researchers to find and privately report security flaws that could damage systems or putting user data at risk.

Bugcrowd acts as an intermediary by passing the bug to the companies to get fixed — potentially helping them to dodge a future security headache like a leak or a breach — in return for payout to the finder.

The greater the vulnerability, the higher the payout.

“The space we’re in is brokering conversations between different groups of people that don’t necessarily have a good history of getting along but desperately need to talk to each other,” said Ellis.

Powered by WPeMatico

As concerns over medical device security rise, MedCrypt raises $5.3 million

As medical devices move to networked technologies, securing those devices becomes increasingly important.

Regulators, seemingly late to the threat that unsecured medical devices posed, only began requiring protections for medical devices like pacemakers and insulin pumps two years ago, and since then new technology companies have leapt into the breach to begin providing security services for the healthcare industry.

Most recently, MedCrypt, a graduate from the most recent batch of Y Combinator companies, raised $5.3 million in a new round of funding, from investors led by Section 32, the investment firm founded by former Google Ventures partner Bill Maris.

Joining Maris’ firm were previous investors Eniac Ventures and Y Combinator itself.

“Internet-connected medical technology is entering the market at light speed, calling for devices to be secure by design, which leads to a heightened level of patient safety at all times,” said MedCrypt chief executive Mike Kijewski in a statement.

Securing patient data has been a longtime requirement for health technology companies, but both patient records and hospital networks are dangerously vulnerable to cyberattacks.

In 2018, more than 6 million patient records in the U.S. were exposed thanks to network intrusions and cyberattacks, according to the publication Health IT Security. And those were just in the 10 largest security breaches.

The healthcare industry has only managed to achieve 72% compliance with the HIPAA Security Rule for protecting patient data, according to an April report from CynergisTek.

Investors have recognized the problem and are investing more into companies focused on the healthcare market specifically. MedCrypt’s competition for these security dollars include companies like Medigate, which raised $15 million earlier this year.

While Medigate focuses on network security, MedCrypt is focused on securing devices themselves. Both security functions are critical, according to investors.

“With regulators appropriately taking a hard look at medical device security and the sheer growth in the number of devices being added to already complex clinical networks,” there is a significant opportunity for companies tackling medical device security, according to a statement from Dr. Jonathan Root, who has led several IT-enabled healthcare investments for USVP.

Powered by WPeMatico

Freedom Mobile server leak exposed customer data

A security lapse at Canada’s fourth largest cell network, Freedom Mobile, exposed customer data.

Security researchers Noam Rotem and Ran Locar found an Elasticsearch server leaking five million logs containing customer data. The server wasn’t protected with a password, allowing anyone to access the data.

Rotem and Locar, who shared their findings exclusively with TechCrunch and published a report at vpnMentor, said it took the cell giant a week to secure the leaking database after first reaching out.

The database is believed to be part of a logging system used by the company to determine errors and glitches in the company’s systems. The database recorded any errors and the plaintext data associated with it, including customer data.

Data seen by TechCrunch reveals customer names, email addresses, phone numbers, postal addresses, dates of birth, customer types and Freedom Mobile account numbers.

The logs also contain answers to credit checks filed through Equifax, including details if an application was accepted or rejected — along with the reason why.

We also found full credit card numbers, expiry dates and verification numbers stored in plaintext.

None of the data was encrypted.

Freedom Mobile has more than 1.5 million customers across Canada, according to its latest financial earnings. Chethan Lakshman, a spokesperson for Freedom Mobile’s parent company Shaw Communications, said about 15,000 customers were affected.

“We have discovered that the data that was exposed was contained to a very small number of customers who had opened or made any changes to their accounts at 17 Freedom Mobile retail locations from March 25 to April 15, and any customers who made changes or opened accounts on April 16,” he said. “Our investigation has revealed that a very limited amount of Freedom Mobile customer data was exposed as the result of a misconfigured server managed by Apptium, a new third-party service provider Freedom Mobile has engaged to streamline our retail customer support processes.”

A forensic investigation is underway, the spokesperson said.

Apptium did not return a request for comment.

It’s the latest in a string of data exposures following security lapses that failed to secure databases with basic security measures. Earlier this year, Rotem and Locar found Chinese online shopping giant Gearbest inadvertently exposed millions of customer orders. Now, the researchers say the Freedom Mobile data leak could be one of Canada’s largest. The closest was Bell Canada’s data breach in 2017, in which hackers took more than 1.9 million customer records.

Access to credit card data and credit score data would be a boon for fraudsters and identity thieves wanting to cash in.

A spokesperson for Canada’s data protection authority, the Office of the Privacy Commissioner, confirmed it “received a breach report related to Freedom Mobile,” and “will be examining the report in order to determine next steps.”

Read more:

Powered by WPeMatico

After account hacks, Twitch streamers take security into their own hands

Twitch has an account hacking problem.

After the breach of popular browser game Town of Salem in January, some 7.8 million stolen passwords quickly became the weakest link not only for the game but gamers’ other accounts. The passwords were stored using a long-deprecated scrambling algorithm, making them easily cracked.

It didn’t take long for security researcher and gamer Matthew Jakubowski to see the aftermath.

In the weeks following, the main subreddit for Amazon-owned game streaming site Twitch — of which Jakubowski is a moderator — was flooded with complaints about account hijacks. One after the other, users said their accounts had been hacked. Many of the hijacked accounts had used their Town of Salem password for their Twitch account.

Jakubowski blamed the attacks on automated account takeovers — bots that cycle through password lists stolen from breached sites, including Town of Salem.

“Twitch knows it’s a problem — but this has been going on for months and there’s no end in sight,” Jakubowski told TechCrunch.

Credential stuffing is a security problem that requires participation from both tech companies and their users. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts. Customers of DoorDash and Chipotle have in recent months complained of account breaches, but have denied their systems have been hacked, offered little help to their users or shown any effort to bolster their security, and instead washed their hands of any responsibility.

Jakubowski, working with fellow security researcher Johnny Xmas, said Twitch no longer accepting email addresses to log in and incentivizing users to set up two-factor authentication would all but eliminate the problem.

The Russia connection

In new research out Tuesday, Jakubowski and Xmas said Russian hackers are a likely culprit.

The researchers found attackers would run massive lists of stolen credentials against Twitch’s login systems using widely available automation tools. With no discernible system to prevent automated logins, the attackers can hack into Twitch accounts at speed. Once logged in, the attackers then change the password to gain persistent access to the account. Even if they’re caught, some users are claiming a turnaround time of four weeks for Twitch support to get their accounts back.

On the accounts with a stored payment card — or an associated Amazon Prime membership — the attackers follow streaming channels they run or pay a small fee to access, of which Twitch takes a cut. Twitch also has its own virtual currency — bits — to help streamers solicit donations, which can be abused by the attackers to funnel funds into their coffers.

When the attacker’s streaming account hits the payout limit, the attacker cashes out.

The researchers said the attackers stream prerecorded gameplay footage on their own Twitch channels, often using Russian words and names.

“You’ll see these Russian accounts that will stream what appears to be old video game footage — you’ll never see a face or hear anybody talking but you’ll get tons of people subscribing and following in the channel,” said Xmas. “You’ll get people donating bits when nothing is going on in there — even when the channel isn’t streaming,” he said.

This activity helps cloak the attackers’ account takeover and pay-to-follow activity, said Xmas, but the attackers would keep the subscriber counts low enough to garner payouts from Twitch but not draw attention.

“If it’s something easy enough for [Jakubowski] to stumble across, it should be easy for Twitch to handle,” said Xmas. “But Twitch is staying silent and users are constantly being defrauded.”

Two-factor all the things

Twitch, unlike other sites and services with a credential stuffing problem, already lets its 15 million daily users set up two-factor authentication on their accounts, putting much of the onus to stay secure on the users themselves.

Twitch partners, like Jakubowski, and affiliates are required to set up two-factor on their accounts.

But the researchers say Twitch should do more to incentivize ordinary users — the primary target for account hijackers and fraudsters — to secure their accounts.

“I think [Twitch] doesn’t want that extra step between a valid user trying to pay for something and adding friction to that process,” said Jakubowski.

“The hackers have no idea how valuable an account is until they log in. They’re just going to try everyone — and take a shotgun approach.”
Matthew Jakubowski, security researcher and Twitch partner

“Two-factor is important — everyone knows it’s important but users still aren’t using it because it’s inconvenient,” said Xmas. “That’s the bottom line: Twitch doesn’t want to inconvenience people because that loses Twitch money,” he said.

Recognizing there was still a lack of awareness around password security and with no help from Twitch, Jakubowski and Xmas took matters into their own hands. The pair teamed up to write a comprehensive Twitch user security guide to explain why seemingly unremarkable accounts are a target for hackers, and hosted a Reddit “ask me anything” to let users to ask questions and get instant feedback.

Even during Jakubowski’s streaming sessions, he doesn’t waste a chance to warn his viewers about the security problem — often fielding other security-related questions from his fans.

“Every 10 minutes or so, I’ll remind people watching to set-up two factor,” he said.

“The hackers have no idea how valuable an account is until they log in,” said Jakubowski. “They’re just going to try everyone — and take a shotgun approach,” he said.

Xmas said users “don’t realize” how vulnerable they are. “They don’t understand why their account — which they don’t even use to stream — is desirable to hackers,” he said. “If you have a payment card associated with your account, that’s what they want.”

Carrot and the stick

Jakubowski said that convincing the users is the big challenge.

Twitch could encourage users with free perks — like badges or emotes — costing the company nothing, the researchers said. Twitch lets users collect badges to flair their accounts. World of Warcraft maker Blizzard offers perks for setting up two-factor, and Epic Games offers similar incentives to their gamers.

“Rewarding users for implementing two-factor would go a huge way,” said Xmas. “It’s incredible to see how effective that is.”

The two said the company could also integrate third-party leaked credential monitoring services, like Have I Been Pwned, to warn users if their passwords have been leaked or exposed. And, among other fixes, the researchers say removing two-factor by text message would reduce SIM swapping attacks. Xmas, who serves as director of field engineering at anti-bot startup Kasada — which TechCrunch profiled earlier this year — said Twitch could invest in systems that detect bot activity to prevent automated logins.

Twitch, when reached prior to publication, did not comment.

Jakubowski said until Twitch acts, streamers can do their part by encouraging their viewers to switch on the security feature. “Streamers are influencers — more users are likely to switch on two-factor if they hear it from a streamer,” he said.

“Getting more streamers to get on board with security will hopefully go a much longer way,” he said.

Read more:

Powered by WPeMatico

Why your CSO, not your CMO, should pitch your security startup

Whenever a security startup lands on my desk, I have one question: Who’s the chief security officer (CSO) and when can I get time with them?

Having a chief security officer is as relevant today as a chief marketing officer (CMO) or chief revenue boss. Just as you need to make sure your offering looks good and the money keeps rolling in, you need to show what your security posture looks like.

Even for non-security startups, having someone at the helm is just as important — not least given the constant security threats that all companies face today, they will become a necessary part of interacting with the media. Regardless of whether your company builds gadgets or processes massive amounts of customer data, security has to be at the front of mind. It’s no good simply saying that you “take your privacy and security seriously.” You have to demonstrate it.

A CSO has several roles and they will wear many hats. Depending on the kind of company you have, they will work to bolster your company’s internal processes and policies on keeping not only your corporate data safe but also the data of your customers. They also will be consulted on security practices of your app or product or service to make sure you’re complying with consumer-expected privacy expectations — and not the overbearing and all-embracing industry standards of vacuuming up as much data as there is.

But for the average security startup, a CSO should also act as the point-person for all technical matters associated with their company’s product or service. A CSO can be an evangelist for the infosec professional who can speak to their company’s offering — and to reporters, like me.

In my view, no startup of any size — especially a security startup — should be without a CSO.

The reality is about 95 percent of the world’s wealthiest companies don’t have one. Facebook hasn’t had someone running the security shop since August. It may be a coincidence that the social networking giant has faced breach after exposure after leak after scandal, and it shows — the company is running around headless without a direction of where to go.

Powered by WPeMatico