Summary Bullets:                

• A good security defense requires equal measures of investment in not only technology but also people and processes.
• Detecting breaches is not the end game, but the beginning of a process to understand the scope and impact and then respond quickly to minimize the damage.

Thinking about the latest revelations around the Target breach, and how Target’s FireEye deployment had alerted the company to the breach early on, it struck me that the company had invested appropriately in technology, but underinvested in its people and processes.  It’s easy for technologists to fall for the silver bullet trap, investing in technology with the belief that it will make a particular problem or pain go away.  It’s a whole lot harder to muster the resources required to properly exploit the benefits of the technology when budgets are tight and skilled security analysts are in short supply.  It’s time for enterprises to invest more in training to develop the skilled staff necessary to meet the challenges posed by today’s threat landscape.  At the same time, it’s equally important to invest in developing the processes needed to deal with the glut of alerts and follow-on investigations effectively required to scope out the extent of those potential breaches.  When key security employees leave, the appropriate training and processes can help fill the void left to insure such inevitable changes don’t negatively impact the organization’s security defenses. Continue reading “Good Security is a Three-legged Stool: Technology, People and Process” →

Summary Bullets:

• The steady rise of data breaches poses a danger that C-level executives will come to view those as a cost of doing business.
• But with those costs on the rise, organizations can’t afford the price tag, and they have to get better at managing risks in the new reality of mobility, cloud computing and consumerization of IT.

A few years ago at RSA I met an auditor who told me that at the time a lot of organizations that she dealt with considered fines from non-compliance with regulatory mandates to be part of the cost of doing business.  With the frequency in the number of breaches associated with such lapses in compliance increasing at a steady clip, are we approaching a time when organizations will view the cost of breaches as yet another part of the cost of doing business?  Have some organizations reached that conclusion already?  The Identity Theft Resource Center reported that breaches increased by 30% in 2013 over 2012 across a range of industries, with its total number of breaches reported at 619.  The total number of records exposed were 57,868,922, which included the 40 million reported by Target. Continue reading “Is the Cost of a Breach Becoming Yet Another Cost of Doing Business?” →

With 2012 drawing to a close in a year punctuated by a continuous stream of security breach headlines in mainstream business media, it’s an appropriate time to contemplate what New Year’s resolutions might look like for the CISO/CSO and others charged with securing IT infrastructure and the valuable business assets they carry. I’d like to offer up a couple of suggestions for those individuals to consider.  Those follow, in no particular order. Continue reading “My New Year’s Resolution Suggestions for CISO/CSOs” →

Summary Bullets:              

• IT security specialists need to expand their skills range, especially in technology areas that are seeing  the greatest amount of new investment
• Employers looking for good candidates need to put resources into training and mentoring programs in order to cultivate the mix of skills they are seeking

Here’s an interesting conundrum:  There is an acute skills shortage in the IT security job market, but at the same time those with security skills are being turned away when they seek to advance through new job openings.  It appears to be a combination of factors that have created this scenario.  In a recent TechTarget article, George Hulme argues that there are unrealistic expectations on the part of those hiring.  Many organizations appear to be looking for candidates with multiple talents.  Not only do they want specialists, they want candidates to be specialists in multiple areas, and they want those candidates to have some leadership skills or business acumen. Continue reading “The Great Security Skills Shortage” →

Summary Bullets:

• Antimalware innovators are increasingly successful in pitching their endpoint alternatives as supplemental to incumbent AV products.
• This raises the question:  why continue to pay premium prices for less effective, traditional protection?

Yet another study claimed recently that anti-virus products fail to detect 60% of the malware in the wild, according to the Security Engineering Research Team (SERT) Solutionary, a managed security services provider.  Those kind of statistics hardly raise eyebrows anymore, but large enterprises continue to pay premium prices for their endpoint protection. This is not to say that the large anti-malware providers aren’t trying to adapt to the changing threat landscape, but they are slow to innovate and are taking baby steps to move beyond the broken signature-based approach to malware protection, in which each new malware and its variant must be identified and a signature created for endpoint-based scanners to identify. Continue reading “Why Are Enterprises Still Paying Premium Pricing for Less Effective Endpoint AV?” →