Enterprise Cyber Risk Management
IS THERE A CYBERSECURITY PROFESSIONALS SHORTAGE?
There is no shortage of headlines stating the cybersecurity professionals shortage as a fact. For example, this one from Information Week. I have taught security at the graduate level, and can report that all my students found good jobs. But I get a little skeptical after reading all of these headlines from other industries: “The worker…
Read MoreNo Blue Pill for Cybersecurity Failures
A few weeks ago, I was asked to comment on the “most underestimated IT security threat”. My answer was “us”. The full post is here. My conclusion is going to be valid for 2017 and at least the next 10-20 years. Why? Because there are no magic pills to prevent cybersecurity failures. Only your own diligence…
Read MorePresidential Cybersecurity Commission Makes Some Good Suggestions
President Obama’s Commission on Enhancing National Cybersecurity issued its report on December 1, and I thought it had some good recommendations. I was expecting a long list of regulatory requirements but did not find those. Now we have to wait to see if the incoming President chooses to follow the recommendations. The report contents were…
Read MoreUnderstanding Intelligence
It is obvious that cybersecurity will continue to play an important part in national security. But as a Washington outsider, it is difficult to see inside government policies and organizations that are responsible for this security. Michael Hayden has taken a significant step in providing this insight through his recent book, Playing to the Edge (2016). …
Read MoreAlign Your Security Program With the Business
Information security used to be part of IT. That has changed recently; security now needs to be independently aligned with the business operations, not just IT operations. The PCI SSC calls this “Business as Usual” (BAU). NIST CSF talks about aligning cybersecurity requirements with business activities. I call this process information security governance and maintain…
Read MoreDon’t fall victim to BEC
Business Email Compromise (BEC) continues to be one of the most successful information security attack vectors. Criminals steal email addresses and passwords of C-level executives and then use this information to initiate fraudulent financial transfers from the executive’s employer to the criminal’s bank account. In this process the executive’s home network is also vulnerable. It…
Read MoreEnterprise Risk Management and Information Security
Enterprise Risk Management (ERM) has been around at least since the days of the Trojan Horse. Information security risk management can learn much from ERM and avoid reinventing the wheel. The National Association of Corporate Directors (NACD) made this clear in the 2014 handbook Cyber-Risk Oversight. Principle #1 is to approach cybersecurity as an enterprise-wide risk…
Read MoreEvidence Based Risk Assessment: Lessons Learned from the Y-12 Breach
My approach to risk assessment always includes analysis of actual breaches in an industry similar to the client industry. This is the evidence-based component of risk analysis. On July 28, 2012, three protesters broke into the Y-12 Highly Enriched Uranium Manufacturing Facility (HEUMF) in Oak Ridge, Tennessee. While you may not run a nuclear complex,…
Read MoreFirst Conviction for Illegally Distributing Android Apps
Reuters reports today the guilty plea and plea agreement of Kody Peterson, charged with illegally distributing Android apps. The conviction was the first copyright theft case involving Android apps. The case was tried in US District Court for the Northern District of Georgia. The original charges are here. According to the US Attorney, the defendant obtained or created…
Read MoreLocking Up the Ivory Tower
Universities are traditionally open, without all of the information security controls that are implemented in the corporate environment. Not surprising, given that the term university means community. It is hard to build community with overly restrictive security controls. Now, however, the New York Times reports that universities are under increasing attack from cybersecurity threats—“Universities Face…
Read More