As security practitioners, we know that nary a day goes by when our schedule for the day (or week) goes as planned. There is always an alert to address, an attack to thwart, an email that takes priority or a senior leader that needs data right away. We’ve all experienced this, and we are only…
DetailsI’ve been known to say that ‘I’ve been in InfoSec since before it was cool.’ After 20 years of being on the front lines, first as a consultant, then as the one responsible for implementing a strategy and building the programs, I’ve truly lost count of the times I’ve heard others using F.U.D. to further…
DetailsIf we live in a data-centric world, it is still true that data are more immediate for some than for others. To use one individual as an example: by the fifth grade, Ben was an excellent data analyst. His life depended on it. Ben went to grade school with my younger son and Ben has…
DetailsSomeone recently pointed out an article to me: ‘Big 12 beats Ivy League – in cybersecurity’ I didn’t realize that there was a competition between schools as to who does better security. I know that we are competing with the bad guys, that is obvious, but now I have to worry about beating out my…
DetailsThe last series I wrote for securitycurrent dealt with principles of data security and privacy. Many authorities charged with enforcing data protection accept the principles. They are based on the idea that the actors in data transactions ( i.e., subjects, collectors, disclosers, users and regulators) all have a role to play in creating and maintaining the world…
DetailsRecently I have begun to think about the strengths that make a good CISO. Some of those include technical understanding, business acumen, strategic vision, collaborative mindset, risk management mindset, and probably many others that I missed. These are traits that are similar to ones found in very successful security entrepreneurs. As I look across the…
DetailsMost of you reading this are security practitioners, and I can safely assume that each of you has discussed this topic at conferences and airports for years: Is our role a thankless one, and one doomed for failure? A recent article in the New York Times on July 20, 20141 provided an objective look at…
DetailsThere is no task more difficult for a CISO than stepping into that role at a large organization that has never had a CISO and has recently experienced a devastating breach that is at least partly responsible for the departure of senior IT management and the CEO. securitycurrent polled its contributors to compile advice for…
DetailsOne of the most difficult decisions a CISO has to make is the one that says the organization suffered a data breach. A data breach starts a chain of events that could eventually result in loss of company reputation, financial expenditures for credit monitoring of affected individuals, and possible regulatory and legal fines. Not surprisingly, the…
DetailsLife as a Chief Information Security Officer can oftentimes be hard on the ego. It is surely one career in which it is easy to fall in to an identity crises (which is a different “identity management” than we are used to dealing with). How many times have we heard that the position of a…
DetailsYou almost have to be on some deserted island with no Internet access to have not heard about the OpenSSL Heartbleed vulnerability. This vulnerability is very serious and pervasive because of a few simple reasons: 1) it allows attackers to be able to dump a target’s memory which can include among other things, usernames/passwords, emails…
DetailsThursday, April 18 started out as a normal day (except for all of the Heartbleed hubbub), that was, until we realized that the University had been hit with about 32K of phishing emails. I have to hand it to the phishers, they did a really nice job. An email, signed by one of our help…
Details