Posts Tagged ‘security’
The First National Cybersecurity Summit
On July 31, 2018, I attended the first National Cybersecurity Summit at the US Customs House in lower Manhattan. The building itself was constructed around 1902-1907 in order to collect tariffs. Teddy Roosevelt was President and tariffs were a subject of divisive national debate. Global issues were still in evidence at the Cybersecurity Summit, with…
Read MoreNew Privacy Laws Require Security Professionals Up Their Game
Two recent privacy laws—GDPR and the California Consumer Privacy Act (AB-375) –focus more attention on protecting the digital privacy of individuals. Both laws will require that security professionals up their game. In this post, I will cover some of the security implications of AB 375. Gone are the days when privacy requirements could be handed…
Read MoreBuilding a Security Start-Up
If only building a security start-up was as predictable as transitioning from caterpillar to butterfly! But, it’s not. Unfortunately, it usually requires many turns and corresponding changes. Consider companies like Blackberry, once a ubiquitous handset provider, now an enterprise security provider. Or Radware, once a load balancing product company, is now known for its DDoS…
Read MoreAlign Your Security Program With the Business
Information security used to be part of IT. That has changed recently; security now needs to be independently aligned with the business operations, not just IT operations. The PCI SSC calls this “Business as Usual” (BAU). NIST CSF talks about aligning cybersecurity requirements with business activities. I call this process information security governance and maintain…
Read MoreEnterprise Risk Management and Information Security
Enterprise Risk Management (ERM) has been around at least since the days of the Trojan Horse. Information security risk management can learn much from ERM and avoid reinventing the wheel. The National Association of Corporate Directors (NACD) made this clear in the 2014 handbook Cyber-Risk Oversight. Principle #1 is to approach cybersecurity as an enterprise-wide risk…
Read MoreEvidence Based Risk Assessment: Lessons Learned from the Y-12 Breach
My approach to risk assessment always includes analysis of actual breaches in an industry similar to the client industry. This is the evidence-based component of risk analysis. On July 28, 2012, three protesters broke into the Y-12 Highly Enriched Uranium Manufacturing Facility (HEUMF) in Oak Ridge, Tennessee. While you may not run a nuclear complex,…
Read MoreLocking Up the Ivory Tower
Universities are traditionally open, without all of the information security controls that are implemented in the corporate environment. Not surprising, given that the term university means community. It is hard to build community with overly restrictive security controls. Now, however, the New York Times reports that universities are under increasing attack from cybersecurity threats—“Universities Face…
Read MoreMore Security Lessons Learned from the Y-12 Breach
Our local newspaper, The Tennessean, recently ran a story on the Y-12 nuclear facility break-in last year. The defendants are now scheduled for a May trial in the Eastern District Court of Tennessee. This prompted me to review the Inspector General’s Y-12 security breach report for lessons learned. This report is one of the few published analyses of security…
Read MoreSecurity or Compliance?
There is a debate among security professionals as to whether a strong compliance or strong security program best protects the enterprise. Arguments along the lines of compliance is “just satisfying a checklist” and “security is not compliance” are offered. Obviously compliance requirements must be satisfied and often compliance programs help justify “security” programs and budgets. …
Read MoreHome Disaster Recovery Planning
Many businesses today assume that their workers will report to home in the event of a disaster at the corporate offices. In fact, workers are already telecommuting or working full-time in home offices. The widespread implementation of broadband connectivity has made this possible. In many cases, corporate disaster recovery planning has not taken into account…
Read More