The NSA leaks have created new opportunities for non U.S.-based cloud providers.
Developing people and political skills among IT security pros is equally as important as developing technical skills, but it is often overlooked.
I had the good fortune to attend the CISO Forum in London this week and as usual it offered a lively discussion of critical security concerns faced by enterprises, governments and non-profits. Topics covered long running themes such as how to define, measure and manage risk; how to communicate the value of and need for information security to the C-Suite and board; how getting the basics right is difficult for most organizations; the security skills shortage; the need to provide agile security and more. Continue reading “Notes from the Front Line: CISOs Share their Problems and Prescriptions”→
The disclosure of the devastating Heartbleed bug – two years in the wild – illustrates how much the technology industry under-invests in software integrity.
Bug bounty programs spur greater participation in vulnerability research, and those who benefit most directly from open source software should contribute to an open source bug bounty program.
Unless you’ve taken a holiday from the connected world, you probably know by now about the Heartbleed bug. And if you’re a CSO or CISO, you’ve most likely seen plenty of suggestions on how to respond to the threat posed by this extremely risky and widespread vulnerability. Although the effort to address the problem is not quite as Herculean, it struck me that the response to the Heartbleed bug needs to be nearly as widespread as the effort to fix the date problem at the turn of the 21st century. Estimates that I saw about how widespread OpenSSL use is suggest that as much as 66% of all the websites across the globe use OpenSSL, and some reports suggested that the technology is embedded in a wide variety of network infrastructure devices, including routers, WLAN controllers, firewalls and more. But while enterprises had plenty of advance notice to address the date problem leading up to the year 2000, web site operators and technology vendors need to move with the utmost urgency to patch this flaw and clean up the mess created by this “catastrophic” vulnerability. It shouldn’t be a surprise that the coding error happened, and I don’t think that its existence is necessarily a condemnation of the way that open source vetting works. Continue reading “Heartbleed Bug Shows Industry is Under-investing in Software Integrity”→
A good security defense requires equal measures of investment in not only technology but also people and processes.
Detecting breaches is not the end game, but the beginning of a process to understand the scope and impact and then respond quickly to minimize the damage.
Thinking about the latest revelations around the Target breach, and how Target’s FireEye deployment had alerted the company to the breach early on, it struck me that the company had invested appropriately in technology, but underinvested in its people and processes. It’s easy for technologists to fall for the silver bullet trap, investing in technology with the belief that it will make a particular problem or pain go away. It’s a whole lot harder to muster the resources required to properly exploit the benefits of the technology when budgets are tight and skilled security analysts are in short supply. It’s time for enterprises to invest more in training to develop the skilled staff necessary to meet the challenges posed by today’s threat landscape. At the same time, it’s equally important to invest in developing the processes needed to deal with the glut of alerts and follow-on investigations effectively required to scope out the extent of those potential breaches. When key security employees leave, the appropriate training and processes can help fill the void left to insure such inevitable changes don’t negatively impact the organization’s security defenses. Continue reading “Good Security is a Three-legged Stool: Technology, People and Process”→
The steady rise of data breaches poses a danger that C-level executives will come to view those as a cost of doing business.
But with those costs on the rise, organizations can’t afford the price tag, and they have to get better at managing risks in the new reality of mobility, cloud computing and consumerization of IT.
A few years ago at RSA I met an auditor who told me that at the time a lot of organizations that she dealt with considered fines from non-compliance with regulatory mandates to be part of the cost of doing business. With the frequency in the number of breaches associated with such lapses in compliance increasing at a steady clip, are we approaching a time when organizations will view the cost of breaches as yet another part of the cost of doing business? Have some organizations reached that conclusion already? The Identity Theft Resource Center reported that breaches increased by 30% in 2013 over 2012 across a range of industries, with its total number of breaches reported at 619. The total number of records exposed were 57,868,922, which included the 40 million reported by Target. Continue reading “Is the Cost of a Breach Becoming Yet Another Cost of Doing Business?”→
With 2012 drawing to a close in a year punctuated by a continuous stream of security breach headlines in mainstream business media, it’s an appropriate time to contemplate what New Year’s resolutions might look like for the CISO/CSO and others charged with securing IT infrastructure and the valuable business assets they carry. I’d like to offer up a couple of suggestions for those individuals to consider. Those follow, in no particular order. Continue reading “My New Year’s Resolution Suggestions for CISO/CSOs”→
IT security specialists need to expand their skills range, especially in technology areas that are seeing the greatest amount of new investment
Employers looking for good candidates need to put resources into training and mentoring programs in order to cultivate the mix of skills they are seeking
Here’s an interesting conundrum: There is an acute skills shortage in the IT security job market, but at the same time those with security skills are being turned away when they seek to advance through new job openings. It appears to be a combination of factors that have created this scenario. In a recent TechTarget article, George Hulme argues that there are unrealistic expectations on the part of those hiring. Many organizations appear to be looking for candidates with multiple talents. Not only do they want specialists, they want candidates to be specialists in multiple areas, and they want those candidates to have some leadership skills or business acumen. Continue reading “The Great Security Skills Shortage”→
Networks and networking suffer from a lack of respect that defies logic.
Innovation continues apace, however, the industry often fails to give these advances the attention they deserve.
Networks and the stuff that make them work are suffering from a dearth of respect to which even Rodney Dangerfield would have to defer. Sure, we all know that it is lunacy to dismiss the value of both private and public networks because the quality of experience is utterly dependent on the quality of the network connections. This is a stone-cold fact, whether we are talking about a teenager looking at YouTube videos on a smartphone, or a business running mission-critical applications.
Yet while networks and networking have never been truly glamorous, there is a perceptible downward trend in love for the stuff of connectivity. It has long been the case, for example, that the hottest, most admired Internet businesses take public and private networks for granted and ride roughshod over them with something approaching complete disdain. If Facebook is sluggish, you don’t blame Facebook, do you?. Continue reading “Networks Do Matter – Really!”→
Antimalware innovators are increasingly successful in pitching their endpoint alternatives as supplemental to incumbent AV products.
This raises the question: why continue to pay premium prices for less effective, traditional protection?
Yet another study claimed recently that anti-virus products fail to detect 60% of the malware in the wild, according to the Security Engineering Research Team (SERT) Solutionary, a managed security services provider. Those kind of statistics hardly raise eyebrows anymore, but large enterprises continue to pay premium prices for their endpoint protection. This is not to say that the large anti-malware providers aren’t trying to adapt to the changing threat landscape, but they are slow to innovate and are taking baby steps to move beyond the broken signature-based approach to malware protection, in which each new malware and its variant must be identified and a signature created for endpoint-based scanners to identify. Continue reading “Why Are Enterprises Still Paying Premium Pricing for Less Effective Endpoint AV?”→
Cloud services imply a new type of sales and support ecosystem that is still very complex and relatively unstable at the moment
This should not put buyers off, and should be welcomed—but all customary, cautionary warnings apply
The dynamics of cloud services have caused a fair bit of healthy upheaval in the way technology and software suppliers deliver and support their goods. In fact, that would be an understatement. Beyond the obvious difference between a network-based infrastructure or a software service versus goods sold or licensed for installation on-premise, there is a fundamental shift in the go-to-market plan for suppliers that takes the notion of so-called co-opetition to an entirely different level. Continue reading “Beware the Cloud Service Provider Shell Game”→