It is standard business practice for organizations to have a contingency plan after acknowledging the various threats and risks that it faces. Having a plan in place, however, is not enough. The organization must periodically update the plan, test how well it works, communicate it to stakeholders, and ensure that people have the capability to…
Details
What might the most damaging attacks of the future look like? The answer to the question may lie somewhere between the known patterns that attackers have established over the years, and signs that we are starting to see today. A look back It started with the sun and the moon. Solar Sunrise was discovered in…
Details
Your organization’s security stance must be supported by everyone in the company, every day, in all that they do. However, people are focused on their jobs, not necessarily on security. With attacks increasingly starting at the human level through social media or targeted emails, your organization needs to create and maintain a high level of…
Details
Did you know you need just three resources to build a highly effective security program? It’s true. Your success will be highly contingent upon how you leverage people, process and technology. Perhaps it is the rule of three which make this all gel, but if you take proper care of these three elements, everything else…
Details
In 2017, six of the top ten HIPAA breaches reported to the U.S. Department of Health and Human Services (HHS) stemmed from ransomware.[1] In a typical ransomware attack, important data is encrypted and “held for ransom” until the victim pays a designated amount in exchange for gaining access to the keys to decrypt the data…
Details
In my previous article, I tried to cover why metrics are an important part of your security program and some of my beliefs about how metrics should be created and used. I am often asked about what specific metrics I collect, what metrics are important to my trustees, and how I report on them. I…
Details
So…you are responsible for the computer security of your organization. You probably have many great ideas on how to do this. You start looking around for products and services to implement those plans of yours and figure out quickly there are no commercial solutions that fit into your budget. Now what do you do? Enter…
Details
For the third straight year, Drs. Daniel Solove and Paul Schwartz held their Privacy and Security Forum at George Washington University Law School. For the third straight year I attended and presented. This year’s forum was the biggest ever and like the previous years, was packed with different sessions on issues ranging from GDPR to…
Details
Blockchain has the potential to be one of the most disruptive technologies since the invention of the Internet. There is an entire class of problems with distributed reconciliation of data entries that this can potentially solve. The creators of Blockchain saw past its initial usage for cryptocurrency implementation toward a future where many distributed applications…
Details
As business functions move to the cloud, it’s imperative to retain visibility into who is connecting to cloud applications, what they are doing, and what devices they are using to connect. This is where Cloud Access Security Brokers (CASBs) come into play. CASB solutions help manage risk by providing the visibility, and in some cases,…
Details
There are many skilled and intelligent people who aspire to become a Chief Information Security Officer (CISO). I have some career advice for them: Don’t aspire to be a CISO. Instead, seek to be the best professional at each step in your career. Those of us who do become CISOs do so because we have a…
Details
I have gone back and forth for a long time. Should security be risk-centric or data-centric. Outside of security professionals, you sometimes meet people who believe security should be compliance-centric and others who believe security should be audit-centric (which is a type of compliance-centrism). Certainly there used to be network-centric views of security but they…
Details