As the 2016 Republican and Democratic National Conventions are about to begin, Security Current has challenged me to reflect on an assignment I was given when I was an IT security executive at a major cable, telecommunications and Internet Service Provider. Over four years ago, I was given the opportunity to build from the ground…
DetailsRead Part One All Infrastructure and the NIST Framework. In this series I will take a close look at the Framework for Improving Critical Infrastructure Cybersecurity which NIST first published in February of 2014. Is that news? No, of course it isn’t. In fact, deterrence (fear) may seem like an odd concept for cybersecurity. Arguably, except…
DetailsOne of the most useful things to me in trying to secure an enterprise like Columbia University is information, and the more information, the better. This means that for most of the time that I am not in meetings, I sit and read. Most of my input overload comes in the form of emails, approximately…
DetailsAlthough information systems logs have been around since the early mainframe days, the concept of collecting and analyzing logs for security purposes is still a relatively new concept. From my limited research, the term SEM (Security Event Management) was pioneered by a small company called E-Security in 1999. SIM (Security Information Management) or SIEM (Security…
DetailsMore and more devices are being Internet-enabled daily. To securely drive an organization’s digital strategy, CISOs need to better understand business and new technologies across groups within the enterprise. It is critical to learn how to create value from their data, and understand technical capabilities for the whole business, not just in the IT domain,…
DetailsEach infrastructure is critical to someone. Go ahead: ask a CIO if they are in charge of something other than “critical infrastructure” and see what they say. In fact, the increasing criticality of all aspects of infrastructure underlies all our assumptions about security and privacy. This article is the first in a series where I…
DetailsMy friend Randy Marchany tweeted a link to an article “Millennials Value Speed Over Security, Says Survey” that started me thinking about the apparent conflict between speed and security. If you google “Agile software development,” you will see a Wikipedia page, which extensively covers the topic. “Agile software development is a set of principles for software development in…
DetailsIt’s impossible to build out a really strong IT security program without the solid foundation of a great security team. Pritesh Parekh, VP and CSO of Zuora, winner of the 2016 SC Magazine Award for Best Security Team, shares his best practices for structuring, hiring and managing a high-performing security team that will effectively execute…
DetailsTry and do an information security risk assessment of a law firm your company uses. Give them an InfoSec security questionnaire to fill out and request key information security documents. And if they host a lot of your sensitive data ask for a SOC2 report or even a penetration test report. What are the chances you…
DetailsI was looking at Facebook the other day (yes, I know – a security guy that uses Facebook – just wait until you have grandkids and a scary message appeared at the top of the page. It was the 39 year anniversary of my employment at Columbia University. I have been working in IT for 39…
DetailsPasswords are not a means of securing information. Bill Gates told us this in 2004, but it’s 2016 now and this time, we really mean it. Gates’ reasoning was that passwords were just insufficient to protect the growing information field and the privacy of sensitive information. The problem now is not that passwords are insecure –…
DetailsGlenn Fink, a security researcher at Pacific Northwest Labs, did a presentation called the “Internet of Cows” at a recent IEEE conference where he showed how dairy farming has become an automated, internet accessible business process. He took the discussion one step further by saying that cows make great human surrogates in the privacy debates surrounding IoT. He…
Details