Tag: CISO

Last week, our esteemed colleague David Holmes answered the board’s question “Are we doing anything with bitcoin?” by slamming the door on a technological trend that is not only underway but is rapidly expanding. (Heck, bitcoin itself is “old news” now.) Still, it should be on every CISO’s brain. Even if CISOs don’t need to talk to…

Read More

Cybercrime in general—and most recently, crime perpetrated using IoT devices—has become a serious problem. Legislatures around the world have struggled to write laws to rein things in. The problem has been that governments have issued cybersecurity laws that are either too burdensome or ineffective. We’ve seen various breach disclosure acts designed to “name and shame”…

Read More

Figure 1: Bug types across valid submissions shows a decline in low value bug types such as clickjacking, and steady submissions in XSS and mobile bugs.  XSS, SQLi, and CSRF are among the OWASP “Top Ten”, with reams of documentation, tutorials, code samples, and tools capable of discovering these bugs before applications are introduced to the wild. One…

Read More

The recently released F5 and Ponemon report, “The Evolving Role of CISOs and their Importance to the Business,” unearthed some disconcerting results about CISO effectiveness. In particular, the following survey question spoke to this point specifically: Are security operations aligned with business objectives? Fully – 26% Partially – 34% Not – 40% Surprisingly, only a quarter of…

Read More

Depending on third parties is inescapable. Every organization needs software, hardware, Internet connectivity, power, and buildings. It’s unlikely they’re going to do all those things themselves. That means that organizations must be dependent on others outside themselves. With that dependence comes risk. F5 recently partnered with Ponemon Institute to survey CISOs. In the report, The Evolving…

Read More

In part I of this series, I explored some of the issues surrounding the fact that we have managed to build networks so large and complex that it is essentially impossible to grasp any significant fraction of network activities without asking for help from… the network itself. In this installment, I delve into some actual techniques…

Read More

Destruction, loss of data, intellectual property theft, fraud, embezzlement, disruption to business, restoration—globally, the costs of dealing with hacking, which were estimated at $3 trillion in 2015, are projected to double to $6 trillion annually by 2021.1 Yet under US law, it’s illegal to attack the hackers back. Way back in February, a Georgia Republican…

Read More

Executives are slowly but surely recognizing the ramifications of providing the wrong answer when asked the questions: “Prior to the breach, did we train our employees in the acceptable use of company assets? Did we train them about what they could and could not do?” Do you work for a company that requires employees to sign…

Read More

Information Security Controls are the bread and butter of audit professionals, the bane of developers, and the playground of security professionals. From a business perspective, they provide a means for enabling business resiliency by protecting and reducing the risk associated with the threat landscape. Insofar as the concept of defense in depth is embraced, it’s…

Read More

Back in September, I had the honor of moderating a panel session in Hong Kong under the theme of “Is Cybersecurity the Hidden Achilles of Hong Kong’s Digital Economy?”. At that time, China, the world’s leading bitcoin exchange market accounting for 90% of trading worldwide, yet had announced shutting down bitcoin and cryptocurrency exchanges, calling…

Read More