Notes from the Front Line: CISOs Share their Problems and Prescriptions

Paula Musich
Paula Musich

Summary Bullets:

  • The NSA leaks have created new opportunities for non U.S.-based cloud providers.
  • Developing people and political skills among IT security pros is equally as important as developing technical skills, but it is often overlooked.

I had the good fortune to attend the CISO Forum in London this week and as usual it offered a lively discussion of critical security concerns faced by enterprises, governments and non-profits. Topics covered long running themes such as how to define, measure and manage risk; how to communicate the value of and need for information security to the C-Suite and board; how getting the basics right is difficult for most organizations; the security skills shortage; the need to provide agile security and more. Continue reading “Notes from the Front Line: CISOs Share their Problems and Prescriptions”

Too Many Employees Don’t Care About BYOD Policies, but Consequences Can Change That

Paula Musich
Paula Musich

Summary Bullets:

  • A growing number of surveys highlight an ugly truth about BYOD programs: too many employees choose to ignore policies.
  •  CIOs and CISOs need to get creative and employ more effective carrot-and-stick approaches to ensure compliance, including the use of interactive security training and education as well as non-compliance impact on annual performance reviews.

As if CISOs didn’t have enough to worry about, a new survey that came out this week shed more light on an ugly little secret when it comes to BYOD: a significant number of employees think they have no role or very little role in protecting data stored on their smartphone or tablet. Continue reading “Too Many Employees Don’t Care About BYOD Policies, but Consequences Can Change That”

Heartbleed Bug Shows Industry is Under-investing in Software Integrity

Paula Musich
Paula Musich

Summary Bullets:

  • The disclosure of the devastating Heartbleed bug – two years in the wild – illustrates how much the technology industry under-invests in software integrity.
  • Bug bounty programs spur greater participation in vulnerability research, and those who benefit most directly from open source software should contribute to an open source bug bounty program.

Unless you’ve taken a holiday from the connected world, you probably know by now about the Heartbleed bug. And if you’re a CSO or CISO, you’ve most likely seen plenty of suggestions on how to respond to the threat posed by this extremely risky and widespread vulnerability. Although the effort to address the problem is not quite as Herculean, it struck me that the response to the Heartbleed bug needs to be nearly as widespread as the effort to fix the date problem at the turn of the 21st century. Estimates that I saw about how widespread OpenSSL use is suggest that as much as 66% of all the websites across the globe use OpenSSL, and some reports suggested that the technology is embedded in a wide variety of network infrastructure devices, including routers, WLAN controllers, firewalls and more. But while enterprises had plenty of advance notice to address the date problem leading up to the year 2000, web site operators and technology vendors need to move with the utmost urgency to patch this flaw and clean up the mess created by this “catastrophic” vulnerability. It shouldn’t be a surprise that the coding error happened, and I don’t think that its existence is necessarily a condemnation of the way that open source vetting works. Continue reading “Heartbleed Bug Shows Industry is Under-investing in Software Integrity”

Good Security is a Three-legged Stool: Technology, People and Process

Paula Musich
Paula Musich

Summary Bullets:                

  • A good security defense requires equal measures of investment in not only technology but also people and processes.
  • Detecting breaches is not the end game, but the beginning of a process to understand the scope and impact and then respond quickly to minimize the damage.

Thinking about the latest revelations around the Target breach, and how Target’s FireEye deployment had alerted the company to the breach early on, it struck me that the company had invested appropriately in technology, but underinvested in its people and processes.  It’s easy for technologists to fall for the silver bullet trap, investing in technology with the belief that it will make a particular problem or pain go away.  It’s a whole lot harder to muster the resources required to properly exploit the benefits of the technology when budgets are tight and skilled security analysts are in short supply.  It’s time for enterprises to invest more in training to develop the skilled staff necessary to meet the challenges posed by today’s threat landscape.  At the same time, it’s equally important to invest in developing the processes needed to deal with the glut of alerts and follow-on investigations effectively required to scope out the extent of those potential breaches.  When key security employees leave, the appropriate training and processes can help fill the void left to insure such inevitable changes don’t negatively impact the organization’s security defenses. Continue reading “Good Security is a Three-legged Stool: Technology, People and Process”

A Tale of Two Mobile Threat Reports

Paula Musich
Paula Musich

Summary Bullets:

  • Threat researchers from Sophos and F-Secure agree mobile malware overwhelmingly targets Android and the amount of Android malware is growing rapidly.
  • Where they diverge is in their view of how many vulnerabilities exist between Apple’s iOS and Google’s Android mobile operating systems.

There was an interesting contrast between competing mobile threat reports that surfaced this week from Sophos and F-Secure.  Sophos published its first-ever Mobile Security Threat Report, which debuted at Mobile World Congress, while F-Secure published its Threat Report H2 2013, which included a look into mobile malware. Continue reading “A Tale of Two Mobile Threat Reports”

Is the Cost of a Breach Becoming Yet Another Cost of Doing Business?

Paula Musich
Paula Musich

Summary Bullets:

  • The steady rise of data breaches poses a danger that C-level executives will come to view those as a cost of doing business.
  • But with those costs on the rise, organizations can’t afford the price tag, and they have to get better at managing risks in the new reality of mobility, cloud computing and consumerization of IT.

A few years ago at RSA I met an auditor who told me that at the time a lot of organizations that she dealt with considered fines from non-compliance with regulatory mandates to be part of the cost of doing business.  With the frequency in the number of breaches associated with such lapses in compliance increasing at a steady clip, are we approaching a time when organizations will view the cost of breaches as yet another part of the cost of doing business?  Have some organizations reached that conclusion already?  The Identity Theft Resource Center reported that breaches increased by 30% in 2013 over 2012 across a range of industries, with its total number of breaches reported at 619.  The total number of records exposed were 57,868,922, which included the 40 million reported by Target. Continue reading “Is the Cost of a Breach Becoming Yet Another Cost of Doing Business?”

A Few More Thoughts on VMware’s $1.54 Billion Acquisition of AirWatch

Paula Musich
Paula Musich

Summary Bullets:

  • Consolidation of the enterprise mobility management market (EMM) will continue, but it doesn’t necessarily mean that’s good for EMM customers.
  • When the dust settles from continued consolidation, at least one pure-play, independent provider will be left standing to supply a best-of-breed alternative.

I can’t resist the opportunity to weigh in on the still fairly recent news of VMware’s planned acquisition of leading pure-play enterprise mobility management provider AirWatch for a reported $1.54 billion.  Of course, this move was not surprising given the continued march of consolidation activities in the EMM market.  VMware follows IBM with its Fiberlink acquisition, the much smaller and stealthier acquisition of BitzerMobile by Oracle, and VMware rival Citrix’s acquisition of Zenprise just over a year earlier.  The move is also not surprising, given the failure of VMware’s Horizon Workspace to catch any traction in the mobile application management segment, as well as the appointment of former SAP mobility chief Sanjay Poonen as GM and EVP of VMware’s End-User Computing group last August.  Continue reading “A Few More Thoughts on VMware’s $1.54 Billion Acquisition of AirWatch”

Cisco’s Annual Security Report: Are We Approaching a Crisis of Trust?

Paula Musich
Paula Musich

Summary Bullets:

  • Mobility and the ‘Internet of Things’ are increasing the attack surface from which cybercriminals are launching new and more sophisticated attacks.
  • Yet, consumers are still too trusting.  In 2013, an alarming increase occurred in the exploitation of web hosting infrastructure for launching cyber attacks.

This past week, Cisco delivered its Annual Security Report, looking back at 2013 and the evolving attack landscape.  The theme for this iteration of the report surrounds trust.  Quite frankly, I think too many consumers adopting new technologies, particularly mobile devices, are decidedly too trusting.  They are not asking the right questions; nor are they concerning themselves with the security of these new technologies they are embracing.  In our rush to adopt mobile computing and to bring intelligence and connectivity to everything from refrigerators to TVs and home heating and air conditioning systems, we are not bringing a skeptical eye to the exercise.  In fact, on January 16, Proofpoint claimed to have uncovered what could be the first ‘Internet of Things’ cyber attack, which used connected and comprised multi-media centers, TVs, and a connected refrigerator to launch an attack.   This is dangerous, because as the Cisco 2014 Annual Security Report highlights, attackers are not only more organized and better financed, but also outnumber IT security professionals.   Cisco’s report claims there is a shortage of over 1 million IT security professionals going into 2014.  Continue reading “Cisco’s Annual Security Report: Are We Approaching a Crisis of Trust?”

A New Wave of Android Devices Is Coming to the Workplace; IT Security, Are You Ready?

Paula Musich
Paula Musich

Summary Bullets:

  • Android devices are an increasingly rich target for mobile malware writers, which makes securing those devices as they are used in the workplace a key element of any BYOD or COPE program.
  • IT security pros should insist any BYOD program require the most up-to-date mobile OS versions and ensure the anti-malware protections included in any MDM or MEM deployment are top notch.

Now that all smartphone and tablet Christmas presents are making their way into the enterprise, it is important to examine the security protections put in place to secure their access to enterprise applications and data.  Beyond authentication, passwords, remote lock and wipe, and other basic security measures provided in enterprise mobile management suites, anti-malware for those mobile endpoints is a key element that should be carefully scrutinized.  Continue reading “A New Wave of Android Devices Is Coming to the Workplace; IT Security, Are You Ready?”

Yes, Virginia, Privacy Really Does Matter

Paula Musich
Paula Musich

Summary Bullets:

  • Is social media rewiring our psyches to expect that we have zero opportunity for private reflection and growth?
  • It’s time to educate creators and consumers of social media about the dark side of living our entire lives online.

Edward Snowden’s Christmas message got me thinking about our evolving view of privacy.  The message, aired in a short video on Channel 4 in the UK as the ‘alternative Christmas message’ for 2013, warns of the dangers of mass surveillance occurring across the globe and makes the case that privacy matters.  You wouldn’t know that by the online behavior of millions of social media users.  I honestly don’t get why people feel compelled to share their worst moments and lesser traits with the whole world.  Such details are increasingly being exploited by a range of organizations – not only Facebook, Google and the NSA, but also TV broadcasters for entertainment purposes.  I recently watched in shock and horror as Ellen DeGeneres broadcast highly unflattering photos taken from the public Facebook pages of some of her audience members and then called those audience members out to discuss the photos.  I wondered how many other audience members and viewers felt as uncomfortable as I did in viewing those photos, or question why anyone would post such unflattering photos in the first place.  As Nicholas Carr so well described in The Shallows:  What the Internet Is Doing to Our Brains, the Internet is rewiring how we think.  Are Facebook, Google and the ‘Internet of Things’ rewiring our psyches to accept a world in which we have no private moments of reflection?  Or, will we collectively come to a moment when we realize that privacy really does matter?  And, will that realization cause us to change our habits (not to mention our laws)? Continue reading “Yes, Virginia, Privacy Really Does Matter”