Tag: CISO

Over the past 11 years, I’ve done hundreds of audits for organizations of all sizes around the world. I specialize in audits for SSAE 16/18 (SOC1 and SOC2),1 Sarbanes Oxley,2 and PCI DSS.3 I’ve seen a lot of audit failures, and there are some common themes to them from which other companies can learn. My work…

Read More

According to a 2015 study by Georgia Tech Information Security Center, 40 percent of CISOs reported to the CIO or CTO rather than directly to upper leadership.1 A forthcoming F5 Ponemon CISO research report will show that the trend is shifting away from CISOs reporting into the IT organization. From a legacy point of view,…

Read More

F5 Labs recently featured a CISO-to-CISO blog post by an experienced auditor, Kyle Robinson, discussing how most organizations fail audits. I’ve been through quite a few audits myself, including a number by the author of that blog. Here are six ways to avoid the common audit failures he spelled out. Get Prioritization from the Top Until…

Read More

As security professionals, whether we know it or not, we all have a role to play in protecting the critical infrastructure. We see almost daily in the news that ordinary people around the world are being targeted in cyberattacks by terrorist groups, nation states, and organized crime groups. These groups use cybercrime to advance their…

Read More

In this blog series, I explore the challenges of the information security practitioner, discussing how technical evolution simultaneously contributes new issues but presents new techniques for solving these issues. I begin with an academic question: Can humans create a system so large that the problems surrounding it are not solvable at human scale? There are…

Read More

It seems earthshaking vulnerabilities are released weekly that leave vendors and system administrators scrambling to remediate. So, where are all these vulnerabilities coming from? A simple search on the National Vulnerability Database shows over 3,300 new vulnerabilities released in just the past 3 months.1 Granted that many of these vulnerabilities are esoteric and limited to…

Read More

  Internal and external threat landscapes are made up of the same system components. Differentials are based on implementation and technology choices. Hosting Resources The way a solution is deployed, the type of cloud service, and the tenant model make up an organization’s hosting resources and provide the basis for the threat landscape. Why? This…

Read More

According to Verizon’s 2014 Data Breach Investigations Report,1 “Web applications remain the proverbial punching bag of the Internet.”2 Things haven’t improved much since then. What is it about web applications that makes them so precarious? There are three primary answers. First, since most web applications are configured or coded specifically for the organizations they serve,…

Read More

Image by Eva Rinaldi / License Creative Commons 3. The Nation State One of the supposed benefits of bitcoin and other cryptocurrencies is that they aren’t tied to any particular nation state. This prevents bitcoin assets from being frozen by the state, and gives consumers the freedom to do anything they want with their money.10 State sponsorship of…

Read More

Several surveys talk about CISO salaries and job prospects, but we felt that the industry as a whole needed to fully understand what goes into the day-to-day job of a CISO. F5 and research firm Ponemon teamed to survey CISOs to draw as complete a picture as we could on the modern security executive. In…

Read More