Risk management

A successful risk management plan helps enterprises identify, plan for and mitigate potential risks. Learn about the components of risk management programs, including penetration tests, vulnerability and risk assessments, frameworks, security awareness training and more.

Top Stories

Feature 19 May 2023
The potential danger of the new Google .zip top-level domain

How much should the average end user be concerned about the new .zip and .mov TLDs? They aren't as bad as some make them out to be, but it's still worth doing something about them. Continue Reading
News 16 May 2023
Coalition: Employee actions are driving cyber insurance claims

After analyzing cyber insurance claims data, Coalition determined that phishing escalated in 2022, ransomware dropped and timely patching remained a consistent problem. Continue Reading

Guest Post 09 Oct 2020

For Cybersecurity Awareness Month, learn about emerging risks

Tami Hudson examines why leaders should use October to educate themselves and their companies around the latest attacks bad actors are implementing and where to prioritize investment. Continue Reading
Guest Post 28 Sep 2020

How to improve cybersecurity for the workforce of the future

Many organizations continue to have employees work from home, but they haven't always hardened their cybersecurity efforts alongside this move to better protect employees and data. Continue Reading
Guest Post 28 Sep 2020

Cybersecurity testing essentials for mergers and acquisitions

Before moving forward with an M&A, conduct some cybersecurity testing to ensure your company knows how the acquired company protects data, employees and customers. Continue Reading
News 23 Sep 2020

ConnectWise launches bug bounty program to boost security

ConnectWise, which provides remote management software to MSPs, partnered with HackerOne in its first bug bounty program, which is part of a larger strategy to improve security. Continue Reading
News 09 Sep 2020

Intel patches critical flaw in Active Management Technology

Intel's Patch Tuesday featured four security advisories, including a critical flaw in Active Management Technology that could allow an attacker privilege escalation. Continue Reading
News 03 Sep 2020

CISA issues vulnerability disclosure order for federal agencies

The U.S. Cybersecurity and Infrastructure Security Agency gives a directive for federal agencies to establish vulnerability disclosure policies in the next 180 calendar days. Continue Reading
Feature 31 Aug 2020

Inclusivity a crucial step beyond diversity in cybersecurity

Spurred on by the social justice movement around the world, cybersecurity experts want to see a move beyond diversity efforts to ensure inclusivity in organizations as well. Continue Reading
Tip 24 Aug 2020

The 7 elements of an enterprise cybersecurity culture

An effective 'human firewall' can prevent or mitigate many of the threats enterprises face today. Adopt these seven elements of a culture of cybersecurity to defend against risks. Continue Reading
News 21 Aug 2020

Claroty: 70% of ICS vulnerabilities are remotely exploitable

Out of 365 ICS vulnerabilities that were disclosed by the National Vulnerability Database in the first half of 2020, Claroty found more than 70% can be remotely exploited. Continue Reading
News 11 Aug 2020

Healthcare CISO offers alternatives to 'snake oil' companies

Indiana University Health CISO Mitchell Parker discussed internal risk assessments, security snake oil salesmen and more at his Black Hat USA 2020 talk. Continue Reading
News 10 Aug 2020

Games, not shame: Why security awareness training needs a makeover

Elevate Security co-founder Masha Sedova spoke at Black Hat USA 2020 about why traditional security awareness training is ineffective and fails to change risky behavior. Continue Reading
News 06 Aug 2020

Voting vendor ES&S unveils vulnerability disclosure program

Election Systems & Software, the biggest vendor of U.S. voting equipment, will allow the security researcher community to test its elections equipment for vulnerabilities. Continue Reading
Quiz 03 Aug 2020

Test your cybersecurity knowledge with this quick ISM quiz

Read our August 2020 e-zine, and then take this short quiz to test your knowledge of cybersecurity awareness training and other issues -- from types of CISOs to talent recruitment. Continue Reading
Feature 03 Aug 2020

10 tips for cybersecurity awareness programs in uncertain times

Explore the winning tactics and tools CISOs and other cybersecurity leaders are employing in their programs to raise employee security awareness -- and consider how they might work for you. Continue Reading
E-Zine 03 Aug 2020

Cybersecurity education for employees: Learn what works

Continue Reading
Opinion 03 Aug 2020

Importance of cybersecurity awareness never greater

Security awareness is more essential than ever, but in a world of increasingly sophisticated threats, making it a reality requires more than set-it-and-forget-it training. Continue Reading
03 Aug 2020

10 tips for cybersecurity awareness programs in uncertain times

Continue Reading
03 Aug 2020

Importance of cybersecurity awareness never greater

Continue Reading
Tip 03 Aug 2020

How to start an enterprise bug bounty program and why

Incentivizing researchers for finding software vulnerabilities can be advantageous for vendors and participants. Here's what to know before starting a bug bounty program. Continue Reading
Feature 30 Jul 2020

How CISOs can deal with cybersecurity stress and burnout

Being a paramedic and working in cybersecurity taught CISO Rich Mogull how to avoid stress and burnout. Check out his advice to maintain mental health in high-stress roles. Continue Reading
Answer 15 Jun 2020

How to protect workloads using a zero-trust security model

Never trust, always verify. Learn how to implement a zero-trust security model to help manage risk and protect IT workloads at your organization. Continue Reading
Tip 05 May 2020

Identifying common Microsoft 365 security misconfigurations

Microsoft 365 security problems can double the time it takes to contain a breach, according to a new survey. Check out best practices and operational strategies to fix them. Continue Reading
News 28 Apr 2020

Bugcrowd launches 'classic' penetration testing service

The crowdsourcing security company launched the Bugcrowd Classic Pen Test service to offer enterprises a more cost-effective and efficient way to test their cybersecurity posture. Continue Reading
Tip 07 Apr 2020

AI pen testing promises, delivers both speed and accuracy

AI is making many essential cybersecurity tasks more effective and efficient. AI-enabled penetration testing, or BAS, technologies are a case in point. Continue Reading
News 01 Apr 2020

Voatz disputes claims it was 'kicked off' HackerOne

HackerOne has cut ties with Voatz, but the mobile voting vendor disputed reports that it was kicked off the bug bounty platform following controversy with security researchers. Continue Reading
Answer 10 Mar 2020

Risk management vs. risk assessment vs. risk analysis

Understanding risk is the first step to making informed budget and security decisions. Explore the differences between risk management vs. risk assessment vs. risk analysis. Continue Reading
Opinion 04 Mar 2020

RSA 2020 wrap-up: VMware Carbon Black integrations; MAM for BYOD; how to handle non-employees

RSA is always full of interesting things to learn about, so here are a few more vendors I sat down with. Continue Reading
03 Feb 2020

Cisco CISO says today's enterprise must take chances

Continue Reading
Feature 03 Feb 2020

Cisco CISO says today's enterprise must take chances

Cisco CISO Steve Martino talks about taking chances, threats, how the security leader's role is changing and what really works when it comes to keeping the company secure. Continue Reading
Tip 22 Jan 2020

How to write a quality penetration testing report

Writing a penetration testing report might not be the most fun part of the job, but it's a critical component. These tips will help you write a good one. Continue Reading
News 20 Jan 2020

CyCognito turning tables by using botnets for good

In this Q&A with CyCognito CEO Rob Gurzeev, he discusses what led to his company, how attack simulations work and how he plans to spend the company's recent round of funding. Continue Reading
Tip 16 Jan 2020

Craft an effective application security testing process

For many reasons, only about half of all web apps get proper security evaluation and testing. Here's how to fix that stat and better protect your organization's systems and data. Continue Reading
Quiz 07 Jan 2020

CISM practice questions to prep for the exam

Risk management is at the core of being a security manager. Practice your risk management knowledge with these CISM practice questions. Continue Reading
Tip 31 Dec 2019

NIST CSF provides guidelines for risk-based cybersecurity

Organizations benefit from identifying their unique risks when developing cybersecurity processes. Here's how the NIST Cybersecurity Framework can help guide risk-based IT protection. Continue Reading
News 16 Dec 2019

Siemens ICS flaws could allow remote exploits

Siemens recommends locking down industrial control systems as security researchers disclose 54 bugs, including remote exploit flaws, but only three patches are available. Continue Reading
Answer 09 Dec 2019

How can companies identify IT infrastructure vulnerabilities?

New, sophisticated technology is available to help infosec pros find IT infrastructure vulnerabilities. Automated pen testing and outsourcing threat intelligence services can help. Continue Reading
News 22 Nov 2019

Android Security Rewards program expands, adds $1.5M bounty

Google expanded its Android bug bounty program to include data exfiltration and lock screen bypass and raised its top prize for a full chain exploit of a Pixel device. Continue Reading
Answer 21 Nov 2019

Do you have the right set of penetration tester skills?

Pen testing is more than just the fun of breaking into systems. Learn about the critical penetration tester skills potential candidates must master to become proficient in their career path. Continue Reading
News 15 Nov 2019

Check Point: Qualcomm TrustZone flaws could be 'game over'

Researchers discovered vulnerabilities in Qualcomm TrustZone that Check Point says could lead to 'unprecedented access' because of the extremely sensitive data stored in mobile secure elements. Continue Reading
Feature 13 Nov 2019

Build new and old strategies into insider threat management

The risk of insider threat does not discriminate across industry lines. Learn how to build an insider threat management program that combines AI, zero-trust principles and a healthy security culture. Continue Reading
Feature 25 Oct 2019

On a penetration tester career path, flexibility and curiosity are key

Becoming a pen tester takes more than passing an exam. Learn the qualities ethical hackers should embrace to achieve success on their penetration tester career path. Continue Reading
Quiz 24 Oct 2019

CompTIA PenTest+ practice test questions to assess your knowledge

Think you're ready to take the CompTIA PenTest+ certification exam? Test your skill set with some of the sample multiple-choice questions you may be facing. Continue Reading
Feature 23 Oct 2019

Combat the human aspect of risk with insider threat management

When it comes to insider threat awareness and prevention, enterprises would be wise to marry a people-centric approach with a technology-centric approach. Continue Reading
News 22 Oct 2019

Bugcrowd launches Attack Surface Management platform

The new platform provides an extra layer of testing by sending its findings to Bugcrowd's crowdsourced security testing tools. Continue Reading
Feature 21 Oct 2019

Netscout CSO speaks to third-party risk, security gender gap

Veteran CSO at Netscout Deb Briggs recaps her fireside chat with Cisco CSO Edna Conway at FutureCon 2019, including their discussion on third-party risk and the gender gap in the security industry. Continue Reading
Answer 21 Oct 2019

6 different types of hackers, from black hat to red hat

Black, white and grey hats are familiar to security pros, but as the spectrum evolves to include green, blue and red, things get muddled. Brush up on types of hackers, new and old. Continue Reading
Tip 15 Oct 2019

Essential instruments for a pen test toolkit

Does your penetration testing toolkit have the proper contents? Learn the must-have tool for any pen tester, as well as specific tools for wireless, network and web app pen testing. Continue Reading
Feature 01 Oct 2019

Your third-party risk management best practices need updating

Organizations must modernize third-party risk management best practices to adapt to the changing technology landscape. Diversify risk assessments with these expert tips. Continue Reading
Feature 26 Sep 2019

Top tips for using the Kali Linux pen testing distribution

It's the best Linux distro for penetration testers' toolkits, but it's not just any Linux. Get tips on Kali Linux pen testing from project lead Jim O'Gorman. Continue Reading
Answer 26 Sep 2019

Penetration testing vs. red team: What's the difference?

Is penetration testing the same as red team engagement? There are similarities, but they're not the same. Understand the differences to improve your organization's cyberdefenses. Continue Reading
Tip 25 Sep 2019

Build an agile cybersecurity program with Scrum

Scrum's core principles translate well into an agile cybersecurity program setting. Learn how this framework bolsters communication and collaboration within infosec teams. Continue Reading
Feature 24 Sep 2019

Using DNS RPZ to pump up cybersecurity awareness

Combining DNS with threat intelligence feeds could hold a key to improving cybersecurity awareness by educating users who attempt to access potentially malicious websites. Continue Reading
Tip 19 Sep 2019

Cybersecurity frameworks hold key to solid security strategy

Cybersecurity frameworks take work, but they help organizations clarify their security strategies. If you don't have one, here's what to consider, even for emerging perimeterless security options. Continue Reading
News 12 Sep 2019

DerbyCon panel discusses IT mistakes that need to stop

Common security risks can be mitigated or prevented, according to a panel at DerbyCon. But users need to feel empowered to speak up, and education needs to be better. Continue Reading
News 10 Sep 2019

DerbyCon session tackles cyber attribution, false flag attacks

One expert showed the crowd at DerbyCon that proper attribution of a cyberattack requires multiple indicators in order to avoid being fooled by a false flag attempt. Continue Reading
Feature 05 Sep 2019

How does AttackSurfaceMapper help with attack surface mapping?

A new open source pen testing tool expedites attack surface mapping -- one of the most important aspects of any penetration testing engagement. Continue Reading
Answer 19 Aug 2019

How to build an enterprise penetration testing plan

Simulating an attack against your network is one of the best ways to remediate security holes before the bad guys find them. Here, learn penetration testing basics and how it can help keep your enterprise safe. Continue Reading
Feature 16 Aug 2019

How to identify and evaluate cybersecurity frameworks

Not all frameworks for cybersecurity are equal. ESG's Jon Oltsik explains what attributes make a cybersecurity framework and how to go about choosing and using one. Continue Reading
News 13 Aug 2019

Google wants Project Zero to be part of an open alliance

After five years of running Project Zero, Google wants to expand the scope to an open alliance of vulnerability researchers all working toward the same goal to 'make 0day hard.' Continue Reading
News 08 Aug 2019

Apple bug bounty expands to MacOS, offers $1 million iOS reward

Apple announced an expansion of its bug bounty program at Black Hat 2019, including rewards for MacOS vulnerabilities and a $1 million reward for a zero-click iOS exploit. Continue Reading
Opinion 01 Aug 2019

The must-have skills for cybersecurity aren't what you think

The most critical skills that cybersecurity lacks -- like leadership buy-in, people skills and the ability to communicate -- are not the ones you hear about. That needs to change. Continue Reading
01 Aug 2019

The must-have skills for cybersecurity aren't what you think

Continue Reading
Feature 01 Aug 2019

Fitting cybersecurity frameworks into your security strategy

Whatever an organization's culture, effective use of a security framework requires understanding business goals and program metrics, and demands leadership communication. Continue Reading
01 Aug 2019

Fitting cybersecurity frameworks into your security strategy

Continue Reading
Feature 30 Jul 2019

Tackling IT security awareness training with a county CISO

A Michigan county CISO says government workers are under siege by cybercriminals. In this case study, he shares how his IT security awareness training strategy has evolved. Continue Reading
Tip 29 Jul 2019

3 ways to shore up third-party risk management programs

A new Nemertes research study shows enterprises need to adopt third-party risk management programs that jettison manual checklists in favor of automated tools, hands-on risk assessments and dedicated risk teams. Continue Reading
Answer 28 Jun 2019

Do I need to adopt a cybersecurity framework?

A comprehensive cybersecurity framework can help businesses avoid costly attacks. But there are other advantages. Continue Reading
Answer 28 Jun 2019

What's the best way to maintain top cybersecurity frameworks?

Keeping top cybersecurity frameworks up to date means understanding how a business evolves and changes. What steps should you take to maintain your security strategy? Continue Reading
Answer 28 Jun 2019

What are the core components of a cybersecurity framework?

Cybersecurity frameworks differ from one company to another, but each plan has four fundamental stages. Find out what you need to know. Continue Reading
Feature 26 Jun 2019

Build a proactive cybersecurity approach that delivers

Whether it's zero-trust, adaptive security or just plain common sense, IT leaders must embrace an approach to IT security that's proactive, not reactive. Continue Reading
Feature 14 Jun 2019

SANS security awareness credential paves new career path

The SANS Security Awareness Professional credential gives enterprises a new method to recognize and promote cybersecurity awareness in the organization. Continue Reading
Feature 06 Jun 2019

Security awareness training for executives keeps whaling at bay

Security awareness training for executives teaches an enterprise's biggest fish to recognize potential whaling attacks -- before they take the bait. Continue Reading
Feature 23 May 2019

10 ways to prevent computer security threats from insiders

Whether via the spread of malware, spyware or viruses, insiders can do as much damage as outside attackers. Here's how to prevent computer security threats from insiders. Continue Reading
Podcast 22 May 2019

Risk & Repeat: Cisco vulnerabilities raise backdoor concerns

This week's Risk & Repeat podcast looks at vulnerabilities in Cisco and Huawei products, which have raised concerns about backdoor access in networking equipment. Continue Reading
Feature 21 May 2019

IT pros stress importance of security awareness training

End-user naiveté can lead to costly data breaches, underscoring the critical importance of security awareness training. Learn how phishing simulation tools can help. Continue Reading
Tip 10 May 2019

Building a cybersecurity awareness training program

Cybersecurity awareness training programs are sometimes perceived as an extraneous waste of time and energy, but are essential to building a strong security culture. Continue Reading
Tip 08 May 2019

How to perform a building security assessment

There are four major systems to review in a building security assessment. Learn what they are and how to review their potential cyber and physical risks. Continue Reading
Tip 08 May 2019

How to conduct a security risk review on a large building

Assessors cannot dive into a security risk review of a large building; they have to prepare and strategize ahead of time. Learn how to get ready for this type of security assessment. Continue Reading
Infographic 01 May 2019

Are users your biggest risk? Raise IT security awareness

Users are either your best line of defense or greatest vulnerability. Learn how attackers exploit human behavior and fight back by improving user security awareness. Continue Reading
Tip 29 Apr 2019

How can organizations build cybersecurity awareness among employees?

A high level of cybersecurity awareness among employees is essential to protect corporate data. To build this awareness, start with a strong cybersecurity culture. Continue Reading
Answer 11 Apr 2019

How important is security awareness training for executives?

Corporate executives are prime targets for spies and hackers, and that is why security awareness training for executives is so important. Continue Reading
Answer 10 Apr 2019

What are the most important security awareness training topics?

Organizations looking to heighten security awareness among employees need to cover a wide variety of security awareness training topics, but social engineering tops the list. Continue Reading
Answer 08 Apr 2019

Why do enterprises need employee security awareness training?

With human error as the leading cause of breaches and security incidents within the enterprise, organizations should offer employees mandatory security awareness training with regular refreshers. Continue Reading
News 26 Feb 2019

CERT/CC's Art Manion says CVSS scoring needs to be replaced

Security expert Art Manion discusses what he calls major problems within the Common Vulnerability Scoring System and explains why CVSS needs to be replaced. Continue Reading
E-Zine 01 Feb 2019

CISOs build cybersecurity business case amid attack onslaught

Continue Reading
News 23 Jan 2019

Top security initiatives for 2019 include MFA, end-user training

TechTarget's IT Priorities survey revealed key security initiatives companies plan to implement in 2019. Experts weigh in on best practices to be adopted. Continue Reading
News 18 Jan 2019

Experts: A breach response plan is a must in 2019

During an IT GRC Forum webinar, experts explain the need for shedding legacy security approaches and highlight the gravity of drafting a data breach response plan. Continue Reading
Answer 14 Jan 2019

How can an authentication bypass vulnerability be exploited?

A vulnerability was found in Western Digital's My Cloud NAS device that can be easily exploited by hackers. Discover what this vulnerability is and how users can be protected. Continue Reading
Tip 20 Dec 2018

What Moody's cyber-risk ratings mean for enterprises

Moody's announced it will soon begin composing cyber-risk ratings for enterprises. Kevin McDonald explores the move and what it could mean for enterprises and the infosec industry. Continue Reading
Answer 10 Dec 2018

L1TF: How do new vulnerabilities affect Intel processors?

New speculative execution vulnerabilities have been found affecting Intel processors. Learn how these flaws can lead to side-channel attacks with Judith Myerson. Continue Reading
News 30 Nov 2018

Mitre enters product testing with Mitre ATT&CK framework

The first round of evaluations using the Mitre ATT&CK framework has gone public, putting on display how different endpoint products detect advanced threat activities. Continue Reading
Answer 20 Nov 2018

Can a D-Link router vulnerability threaten bank customers?

A D-Link router vulnerability was used to send banking users to a fake site in order to steal their information. Learn more about this vulnerability with expert Judith Myerson. Continue Reading
News 15 Nov 2018

BT Security CEO: Red teaming is valuable, but challenging

During the Securing the Enterprise conference at MIT's CSAIL, BT Security CEO Mark Hughes discusses the benefits and challenges red teaming has presented to his company. Continue Reading
Tip 12 Nov 2018

Insider threat protection: Strategies for enterprises

Insider threats pose a serious risk to enterprises. Peter Sullivan explains how enterprises can use background checks and risk assessments for insider threat protection. Continue Reading
Tip 11 Oct 2018

How entropy sources interact with security and privacy plans

NIST published a draft of its 'Risk Management Framework for Information Systems and Organizations.' Learn what this report entails, as well as how entropy source controls play a key role. Continue Reading
Opinion 02 Oct 2018

Industries seek to improve third-party security risk controls

Healthcare security leaders are developing industry best practices for better third-party risk management using common assessment and certification standards. Continue Reading
02 Oct 2018

White hat Dave Kennedy on purple teaming, penetration testing

Continue Reading
Opinion 02 Oct 2018

White hat Dave Kennedy on purple teaming, penetration testing

Russia and other nation-states use application control bypass techniques because they don't "trigger any alarms," the chief hacking officer says. Continue Reading
02 Oct 2018

CISOs face third-party risk management challenges

Continue Reading
Feature 02 Oct 2018

CISOs face third-party risk management challenges

Security professionals understand all too well what's at stake, and that's why more companies look to tighten up security with third parties. Continue Reading