Enterprise Cyber Risk Management
Compliance v. Security
An essay in a recent Wall Street Journal (December 3, 2011) caught my attention on the subject of compliance v. security. The article, “Starting Over With Regulation” by Philip K. Howard (also available at www.commongood.org), makes the case that government regulation in general is too complex to work. Recent failures by Congress to simplify Sarbox 404…
Read MoreGAO Report on Information Security in Federal Government
Do you think your information is secure within the federal government? You can make your own decision by reading the recent Information Security assessment by the Government Accountability Office (GAO). Some observations by GAO are expected, others are disturbing. Here are some statements that caught my attention: 1. Growth in reported incidents from 2006 to 2010…
Read MoreLean Security
Earlier this year I published an ISSA Journal article (ISSA Journal, May 2011) advocating the use of lean management techniques to manage security. This is just an observation that security needs to use business management methods to tie together people, process, technology and partners. Recently in the Harvard Business Review of October 2011 a good article appeared…
Read MoreMitigate Your Social Engineering Vulnerabilities
Security managers spend significant amounts of time analyzing software vulnerabilities and patching the same. I just looked at the Common Vulnerability and Exposure database (CVE) and see that it now has 47,555 vulnerabilities. But how many security managers have analyzed or cataloged the social engineering vulnerabililties faced by their organizations? I suspect few. Virtually all security managers…
Read MoreHIPAA Security. Are We Making Progress?
The recent breach of 20,000 medical records at Stanford Hospital has me concerned. The institution is part of Stanford University Medical Center and is a top rated health care provider. Are we making progress on HIPAA security? Are things getting better? If this institution cannot effectively protect patient data, who can? I analyzed the data…
Read MoreBrand Your Security Program
One of the key challenges in building a security program is getting active participation from across the organization, from line workers to top management. All of these people have “day jobs” and security is too easily put out of mind. “Why Every Project Needs a Brand (and How to Create One)” appearing in the Summer…
Read MorePDCA is Dead
I have to admit that I have never really understood the PDCA concept as it applies to information security. I do know that PDCA stands for Plan-Do-Check-Act, but I have never understood the difference between Do and Act, other than there is a Check step in between. Also, I can never remember which way the…
Read MoreLEARNING FROM PAST MISTAKES
I tend to read any legal cases about information security, because they are one source where accurate root cause information on breaches can be found. Two very interesting decisions on security at banks were recently published. One is the May 27 US District Court decision on Patco v. People’s United Bank. An even more recent decision…
Read MoreHow Better Security Can Create Shared Value
A recent article by Michael Porter and Mark Kramer, Creating Shared Value (Harvard Business Review, January-February 2011) makes the point that a focus on “shared value” can help give birth to a new capitalism and move business beyond its short-term profit focus. Shared Value, as defined by Professor Porter is not giving money away, but rather…
Read MoreC’est La Vie, You Never Can Tell: Lessons Learned from the HBGary Hack
Last week, while at the RSA show, I made a point of seeking out the HBGary booth; I had previously been aware of their good technical reputation through webinars. Booth #556 was there, but not HBGary. Searching online I then learned that they had pulled out after being hacked by Anonymous. This event was possibly…
Read More