The President’s May 11 executive order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure seems to have been met with broad support. While a few have been critical that it was not bold enough, most reviewers seem to be endorsing the main message, both for what it does (initiating broad self-assessments by agencies), and for what it does not do (consolidate all accountability in the DoD). The broad strokes: This order endorses, mandates, and accelerates the adoption of existing frameworks as well as ongoing risk assessment and mitigation, but it does not set the game clock back by forcing the creation of new frameworks or imposing stifling centralization. Full disclosure: I’m accountable for growing the cybersecurity business line at FICO. That said, in reading the text of the order, I was struck by the broad alignment of its goals and directives with the goals, use cases, and specific capabilities... [Read More]
The greatest risk to credit unions and CUSOs today is the loss of your members’ trust and financial safety. Can your institution survive a cyber breach? Understanding your cyber risk is a critical part of protecting yourself and your members. That’s why we launched the FICO® Enterprise Security Score last year. And now, our cyber score has been selected as one of 5 big ideas to be presented at the National Association of Credit Union Service Organizations (NACUSO) 2017 Network Conference “Next Big Idea Competition.” Why is cyber scoring the next big idea for credit unions? Fraud/cybersecurity is the top priority for credit union CEOs and, by extension, CUSOs. Today’s breach risk measurements are inadequate and inaccurate. They’re manual rather than scalable, judgmental rather than empirical, point-in-time rather than predictive. ESS is rapidly deployed. You don’t install software, you just throw a switch. ESS is multi-tenant, so CUSOs can rapidly... [Read More]
I’m not a big fan of vampire movies—I’d pick Blackhat over Abraham Lincoln: Vampire Hunter any night of the week—but there are a lot of similarities between hackers and vampires. First, they’re afraid of the light. What hacker wants his true identity to be revealed? Second, they suck the blood out of their victims. Whether stealing data or demanding payment for ransomware, “bloodsucking” is one of the kinder adjectives used to describe cyber criminals. However, even though vampires are theoretically immortal, vanquishing them is pretty straightforward; any True Blood fan can tell you that a wooden dagger or silver bullet will do the trick. It’s not quite so easy to stop hackers in their tracks. Encryption can be effective … … but it’s not a stake through the heart of hacking. Data encryption is a highly effective defense against hackers, particularly in achieving HIPAA compliance to protect Protected Health Information... [Read More]
The RSA Conference has descended upon San Francisco’s Moscone Center, bigger and more energizing than ever. With security an agenda-topping concern of many CIOs in 2017, the fervor to fight cybercrime is at an all-time high. While there was a wide range of top-of-mind topics being discussed, two topics in particular continued to show growing interest – artificial intelligence and cyber insurance. More on that in a minute. The theme of this year’s RSA Conference was “The power of opportUNITY,” and we had plenty of opportunities in San Francisco to showcase FICO’s unity with security professionals and industry influencers on similar missions. Two of these events took place in informal settings designed to encourage networking and dialogue: The Cyber+IoT Bangers and Mash Roundtable Breakfast, held on Tuesday morning in conjunction with the San Diego industry organization CyberTECH. This panel session focused on “Securing the Smart City” and featured guests such... [Read More]
The short answer: potentially a lot more than you intend. Let’s say you take a walk or run early every morning, on the same route in your favorite park, before the sun comes up. Your fitness wearable times your run, tracks your progress, and calculates your distance based on location, which is great—until that information, stolen during a data breach, ends up in the hands of a cyber stalker. Now, all of a sudden, you’ve unwittingly been put in a very vulnerable place. It’s true, this type of theorizing can be a little macabre. So are the ethics of self-driving cars, and many other aspects of the new world of artificial intelligence we now inhabit. The reality is, every category of technology carries inherent risks, and as people become more connected with technology in every aspect of their lives, we must be cognizant of those risks. New technology creates new... [Read More]
In the world of cybersecurity, 2016 was a banner year – and not in a good way. From the Bank of Bangladesh/SWIFT heist in February to the Dyn DDoS attack a few weeks ago, the year’s wild attacks have one thing in common: They were proof that hacker innovation is on a growth trajectory. That’s the bad news. The good news is that businesses and consumers are also much more aware of cyber threats than they were 12 months ago, and that’s the jumping off point of my cybersecurity predictions for 2017. 1. Consumers will care a lot more about the security of the companies they do business with. With hackers hitting organizations from the Internal Revenue Service to the University of California, Berkeley in 2016, consumers are more anxious than ever about the downstream financial crime that follows data breaches. In 2017, consumer demand will emerge around wanting to... [Read More]
“What gets measured gets managed,” might be the oldest saw in the business universe. But in my mind, it is closely followed by another: “What gets measured gets monetized.” And that is exactly what is happening today in the booming, yet very-brand-new market for enterprise cyber breach insurance. Specifically, I believe that the new FICO® Enterprise Security Score (ESS), a metric that quantifies the vulnerability of an organization to cyber attack, will dramatically catalyze the growth of the cyber breach insurance market. ESS can be used by an enterprise to understand its cyber risk and shore up defense gaps. It is also an important assessment tool for third parties such as potential business partners and, notably, cyber insurance providers. With its quantitative, empirically derived analytics, FICO ESS will drive objective risk measurement, transparency and predictability into both breach insurance underwriting and longer-term portfolio management––essential requirements in monetizing the rapidly evolving market... [Read More]
What if there were clear measure that told you how protected your organization is from cyber threats? The potential benefits of such a score are clear. It could help security professionals address gaps, and help the boards of public companies prioritize security investments. It could also enable third parties, from partners and potential customers to insurers, understand a firm’s security risk. This is precisely what FICO is developing: a FICO® Enterprise Security Score to rank an organization’s level of cybersecurity risk. Today we announced that we have acquired QuadMetrics, an innovative cyber risk security scoring company, to further this effort. We see the FICO Enterprise Security Score as an essential complement to FICO® Falcon® Cybersecurity Analytics for threat detection. With the acquisition of QuadMetrics and the infusion of FICO’s analytic scoring methods, FICO will provide both cybersecurity defences and an enterprise-level “cyber score” that gives an empirical, impartial measure of... [Read More]
I’ve just participated in a debate over analytics vs. encryption for cybersecurity, on the InformationWeek Dark Reading website. This is a sign of the times — the cyber space is so hot that technologies are being treated as rivals, jockeying to win your infosec budget. The truth is, it isn’t an either/or proposition. As I note in my article, arguing against encryption would be a bit like arguing against locks on doors. Strong encryption – like firewalls and user authentication – is a basic defense against the damage that might flow from a successful attack on information infrastructure. But encryption is not foolproof, and it shouldn’t be your one means of defense. As artificial intelligence and analytics have come into play, there has been some criticism — often from competing vendors who misunderstand or misrepresent how AI works. In the past, cybersecurity analytics were focused on gathering data about compromises,... [Read More]
“Data! Data! Data! I can’t make bricks without clay.” That’s what Sherlock Holmes says in “The Adventures of the Copper Beeches,” and the same goes for the data sleuths today trying to stop cyber crime. It’s a positive sign that lawmakers recognize this need. Information sharing has become of the fundamental tenets of cybersecurity being discussed by regulators on Capitol Hill. But the data we need is more than what is being proposed in some regulatory plans. On March 3, the House Commerce Subcommittee on Oversight and Investigations held a hearing on “Understanding the Cyber Threat and Implications for the 21st Century Economy.” Greg Shannon, Chief Scientist of the CERT Program at Carnegie Mellon University, spoke to this need: “Richer data needs to be shared with the research and development community — meaning not only incident data but also datasets that enable understanding of what ‘normal’ resembles (in terms of... [Read More]
