A new report shines a light on some unfortunate news in the world of federal cybersecurity. According to the U.S. Government Accountability Office (GAO), only three of 23 federal agencies have reached their expected logging requirements as dictated by Executive Order 14028. In this article, we’re talking about this executive order and what it calls… Read More
Social Engineering and Enterprise Security
Discussions about security and compliance disproportionately focus on businesses and enterprises, precisely because these organizations serve as central repositories for critical industrial or consumer information. Accordingly, regulations and best practices are often tied to securing this infrastructure, with consumers getting little to no attention. However, the reality of modern cybersecurity threats is that almost all… Read More
The New Social Security: When Social Media Meets Social Engineering
The convergence is upon us all; this influx of technology intermingled with information infused now in every possible facet of our business and personal lives. We live in the presence of infinite possibilities through technology. Business is being propelled into new trajectories never before possible. Out social spheres and human interpersonal interactions have all been… Read More
Changes are Coming: Electronically Stored Information
I’ve been doing a bit of research into the subpoena, search, custody, and disposal of electronically stored information (ESI). Part of this comes in the normal course of doing business as a Chief Information Security Officer, while part comes from my natural passions for information security and the law. The reality that casting a wide… Read More
Timeline for PCI DSS 4.0: The Twelfth Requirement, Policies, and Programs
So, after a long journey, we’ve arrived at the twelfth and final requirement for PCI DSS 4.0. Last but certainly not least, this requirement emphasizes the need for creating, documenting, and implementing organization-wide security and compliance policies.
What Is a Risk Appetite Statement?
Over the past few weeks, we’ve talked quite a bit about risk: What it is. How it applies to compliance. How you can start to think about it as an aspect of your overall business strategy. In many of the cases we’ve discussed, we’ve referred to risk in terms of mitigation–how to close the gap… Read More
Why In a Former Life I was a Cadaver Dog!
My career has been and adventure along the scenic route speaking conservatively which I rarely do. My number one goal is to be the best example for what I choose to focus my attention on. I rose in the corporate ranks pretty quickly and helped define what it really means to be a Chief Information… Read More
CIO, CISO, Eee Eye, Eee Eye Oh Crap a Data Breach!
How do you quantify the true cost of a data breach? How do you measure the costs against the benefits of eliminating risks, mitigating risks or accepting risks to your business effectively? The Lazarus Alliance executive leadership team has been the proverbial tip of the spear within the proactive cyber security realm well before there… Read More
A Decade of SOX: Knowledge is your friend; Ignorance is your enemy
We are well past a decade now living with the Sarbanes Oxley Act. As one might expect, corporations, employees and auditors alike have become acclimated to the requirements so much so that the process is routine. The upside to this is that people supporting a SOX audit are pretty comfortable with the expectations and requirements.… Read More
In Harm’s Way: The CISO’s Dangerous Tour of Duty
I’ve been in the corporate chief information security officer’s (CISO) executive chair long enough to realize that the traditional hierarchical model of information security reporting up through the technology department has a fatal flaw. This hazard is directly associated with the inherent conflict of duties that exists by the very nature of the position. For… Read More
Buyer Beware
Fact: Companies are being breached seemingly at-will by hackers, malicious insiders, competing company entities, and nation states. Companies and consumers seem to be losing the battle. Sources of this problem are: 83 percent of organizations have no formal cyber security plan. (Source: National Cyber Security Alliance, 2012) Thousands of breaches have occurred over the last… Read More
Dichotomy
As we approach retail’s favorite season, I have the unique perspective of being concerned about information security as both the Chief Information Security Officer (CISO) for a commerce software company and as a customer to a plethora of retailers — some who are clients and others who are not. In effect, I’m wearing two… Read More
My comments about Virtuport and MENA ISC 2012.
Several exceptional facets of MENA ISC 2012 became quite apparent to me during my attendance and participation in the Middle East North Africa Information Security Conference. First, what a truly impressive assembly of international security experts and delegates. People attending were engaged, inquisitive, and very collaborative which is a vital component in mastering the global… Read More
What’s in a name?
Prior to April Fools’ Day, 2011, you probably had never heard of Epsilon Data Management, right? I’d wager, however, that this email marketing firm has heard of you. In excess of 250 million email account names were pirated from the marketing services firm, vaulting this to what may be the largest breach of personal information… Read More
Juris Doctor 120 of 161 – AKA Beer Breach
I have a natural passion for keeping people safe and secure as many of you know. I also have a real passion for technology law which might be evidenced by the doctoral pursuit in law. I also follow the news looking for cases that have been adjudicated and what the verdict or in most cases,… Read More
Domestic Terrorism
According to a recent analysis conducted by Akamai, out of the all the cyber-attacks observed originating from the 209 unique countries around the world identified, the United States was the top attack traffic source, accounting for 12% of observed attack traffic in total. Russia and China held the second and third place spots respectively, accounting… Read More
How E-Commerce Apps Are Putting Your Site at Risk
Article Reprint: http://www.ecommercetimes.com/story/How-E-Commerce-Apps-Are-Putting-Your-Site-at-Risk-70964.html?wlc=1286281687&wlc=1286300892 Many developers do not overlook security on purpose; it’s just that the focus is usually on feature and functionality, not the nuts and bolts of building a secure software application. These technical oversights can leave a relatively easy opening for attackers to leverage. Cross-site scripting or data source injection are the most… Read More
Gearing Up for the Holidays? So Are Cyber-Criminals
Article Reprint: http://risnews.edgl.com/retail-best-practices/Gearing-Up-for-the-Holidays–So-Are-Cyber-Criminals40304 The holidays typically are the peak season for merchants. Yet at such a critical time of year many retailers still leave themselves vulnerable to significant e-commerce fraud – and the corresponding lost revenue and damaged brand reputation — because they don’t enforce or implement information security best practices throughout the year. While… Read More
Juris Doctor 85 of 215
So I’ve been spending a bit of time with the Federal Rules of Civil Procedure and I of course look for connections to the activities I’m involved in such as my day job as Chief Information Security Officer. A trend that I’ve commentated upon heavily over the past two years concentrates on what is being… Read More
Emerging trend or merging trend? I think so!
I’ve been conducting a new job search and what very is interesting to me, and should also be to any job seeker or person who is interested in maintaining their competitive edge, is a noticeable increase in the basic required qualifications and especially the preferred qualifications listed in most job postings. In part I am… Read More
ISSA Senior Member Nomination
I was humbled and honored to be nominated by the Board of Directors of the Kentuckiana ISSA chapter in Louisville Kentucky for ISSA Senior Member. I’ve been out of the Kentuckiana territory for a number of years to be the Chief Information Security Officer for Colonial Bank (Now BB&T Bank). I’ve been a member of… Read More
Like a rocket
A good business colleague and friend once told me, “Dude, you just took off like a rocket!” This comment was made just a few years following my departure from the same company he remained in employment with. In just a few short years I went from being a peer with a similar resume and similar… Read More
Juris Doctor 59 of 215
I’m clearly behind in my blogging activity in general. It has been a whirlwind two weeks getting settled, comfortably I might add, into my new position as Chief Security Officer for Fifth Third Processing Solutions. An interesting and fortuitous event occurred during my first week on the job. Execurtive leadership added physical security to my job… Read More
Laws of Power – 27
Play on people’s need to believe to create a cult-like following: people have an overwhelming desire to believe in something. Become the focal point of such desire by offering them a cause, a new faith to follow. Keep your words vague but full of promise; emphasize enthusiasm over rationality and clear thinking. Give your new… Read More