April 22, 2012    /    by

Dark Clouds Over Technology: Pondering Action After Recent State Government Data Breaches

Over the past few weeks, there have been several high-profile breaches announced involving state government systems - one in South Carolina and one in Utah. My first reaction was to think: There but for the grace of God go we.

Over the past few weeks, there have been several high-profile breaches announced involving state government systems - one in South Carolina and one in Utah.  I say “high-profile” because the coverage of both incidents has been widespread, with tech magazines, blogs and even major newspapers and TV stations covering the situations in detail.  The headlines have not been very encouraging for our respected government colleagues, with Computerworld reporting that the Utah breach 10x worse than originally thought.

My first reaction, and the thoughts of many government CIOs, CTOs, CISOs and CSOs around the nation, was to think: “There but for the grace of God go we.” Anyone who thinks they are not susceptible to similar cyber incidents (whether from insider threats or external hackers) has not been paying close enough attention to the growing threat in the cyber world we live in. (I covered this topic briefly in the piece: Is America Outgunned in Cyber?)   READ MORE

April 15, 2012    /    by

The Business of Security: Why Customer Service Matters More Than You Think - Part 3

So what is the right level of security? How do you know if you have gone too far, or not far enough in protecting critical systems? Do all business functions need the same level of security?

A few weeks ago, Bob Lewis wrote some provocative words over at InfoWorld that most security pros probably find pretty hard to stomach. In an article entitled:  BYOD and the hidden risk of IT security, Bob basically called out most “bring your own device to work” security strategies as being more damaging to enterprises than helpful. His subtitle said this: “When employees use personal devices for business purposes, too much security can create more risk than it prevents.”

Wow! He got my attention. But I’m struggling to get to the same place as Bob. I’m still looking for the preponderance of large enterprises that have the “too much security on smartphones” problem.  I wish he had provided some compelling examples. READ MORE

April 14, 2012    /    by

Titanic Mistakes: Five Pragmatic Lessons from Spectacular Technology Failures

Everyone is talking about the sinking of the Titanic and they should be. Here are five lessons for technology and security professionals from the sinking of the Titanic ...

Everyone is talking about the sinking of the Titanic – and they should be. The people, the stories, the technology, and especially the tragic ending, are legendary. It has been one hundred years since she sank. Books have been written, movies made – and remade in 3D. But somehow, we can’t seem to forget what happened or miss a chance to hear the remarkable, mysterious story again.

Numerous theories still abound analyzing the never-ending question: “Why did it happen?” The very word “Titanic” has become synonymous with words like enormous, monumental, gigantic, massive, huge and immense. But most of us aren’t picturing a monumental home run or an enormous successful product launch. No, the word Titanic has also been seared into our brains as a massive failure. READ MORE

April 9, 2012    /    by

Delivering Cybersecurity With Customer Focus: Who, When, Where and How

So how can this customer service theme work for security professionals? Allow me to tell you a true story.

Every manager has a day like this at some point.

It was in late spring of 2009, and I was having one of those “open and honest” conversations with my Infrastructure Services (IS) Leadership Team regarding how things were really going with internal organizational relationships. I had moved over from the Chief Information Security Officer (CISO) role to become the Chief Technology Officer (CTO) a few months earlier, and this was the moment that I later declared to my wife that my “infrastructure honeymoon period” was officially over. READ MORE

April 2, 2012    /    by

Customer Service is a Priority for Security Pros Too

Several hundred people had gathered for a second morning to hear the results and ask questions regarding the recently completed Gartner study, which covered all aspects of Michigan Governments Information, Communications and Technology (ICT).

   It was a warm Friday morning for March in Michigan, and the Williams Auditorium was packed with government technology supervisors, managers and directors within state government. Several hundred people had gathered for a second morning to hear the results and ask questions regarding the recently completed Gartner study, which covered all aspects of Michigan Government’s Information, Communications and Technology (ICT).

This comprehensive Gartner study took over five months to complete. Their analysis examined people, processes and technology and benchmarked us against other states and the best companies in the world. (Yes – cybersecurity was included in this “As Is, To Be, Gap Analysis.”) The day before, Gartner representatives presented the good, the bad and the ugly regarding the current situation. Now came the part that everyone was anxiously waiting to hear – what did the future hold for Michigan government ICT? What were the new recommendations that would likely change our direction? READ MORE

March 28, 2012    /    by

Is America Outgunned in Cyber?

Shaun Henry, the FBIs top cyber cop and executive assistant director responsible for cyber, told the Wall Street Journal (WSJ) that we're not winning and that the current approaches being used by the public and private sectors are: "Unsustainable. Computer criminals are simply too good and defensive measures too weak to stop them."

Shaun Henry, the FBI’s top cyber cop and executive assistant director responsible for cyber, told the Wall Street Journal (WSJ) that “we’re not winning” and that the current approaches being used by the public and private sectors are:  “… Unsustainable. Computer criminals are simply too good and defensive measures too weak to stop them.”

 The WSJ article entitled: U.S. Outgunned in Cyber War also reported that Henry said: READ MORE

March 22, 2012    /    by

Lawsuits Challenge Privacy Policies

Internet privacy has long been a hot-button issue. Central questions are being asked about who owns what data, how that data can be used by various companies to target individuals in marketing and whether users can opt-in or opt-out of various data-sharing approaches. Just as in other areas of life in America in 2012, these questions are often end up being settled in the courts.

Internet privacy has long been a hot-button issue. Central questions are being asked about who owns what data, how that data can be used by various companies to target individuals in marketing and whether users can opt-in or opt-out of various data-sharing approaches. Just as in other areas of life in America in 2012, these questions are often settled in the courts.

Now, Google is facing a class action lawsuit over its new privacy policy. Computerworld reported that Google faces complaints that they changed earlier privacy policies which promised that information obtained by one service will not be used by another service. Beyond consumer complaints and online criticism, a new group seeks to bring nationwide class action on behalf of holders of Google accounts and owners of Android devices from Aug. 19, 2004 to Feb. 29, 2012, who continued to maintain the Google accounts and own the devices after the new privacy policy came into effect on March 1 this year. READ MORE

March 18, 2012    /    by

Perspectives on IT Security in Eastern Europe: First Impressions from Two Very Different Cities

I traveled to Eastern Europe last week to speak at two different one day cybersecurity conferences that are a part of a series of events known as the IDC IT Security Roadshow 2012.

I was blessed with the opportunity to travel to Eastern Europe last week to speak at two different one day cybersecurity conferences that are a part of a series of events known as the IDC IT Security Roadshow 2012. This was the tenth anniversary of this excellent IDC conference series. I previously had the privilege to speak at their event in Moscow two years ago. (After that Moscow conference, I wrote this blog.)  

So here are my initial impressions. I intend to write another piece over the next few months with some more detailed observations. (At the end of this blog, I’ll offer some answers to several background questions related to the trip.) READ MORE

March 8, 2012    /    by

Will New Cybersecurity Legislation Pass in 2012?

Will new cybersecurity legislation pass in 2012? If yes, what will be included, what will be left out and which agencies or organizations will be in charge of various information sharing and monitoring roles? These are hot questions in DC right now.

Will new cybersecurity legislation pass in 2012? If yes, what will be included, what will be left out and which agencies or organizations will be in charge of various information sharing and monitoring roles? These are hot questions in DC right now.

Mark Weatherford, Deputy Under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD) at the US Department of Homeland Security (DHS) posted an interesting blog on Tuesday.  Titled: The Private Sector Agrees, We Need Cybersecurity Legislation Now, Mark points out that the status quo is simply not acceptable. READ MORE

March 4, 2012    /    by

Hacker Hangouts: Where the Young and Restless Go to Learn How to Hack

But where do hackers live and spend their time? Beyond Black Hat Conferences around the world, where do hackers congregate online? As security pros scan the world-wide-web for the good, the bad and the ugly, we come across information, tools and methods that the majority of people dont know exist.

As discussed in several previous blogs, the term “hacker” can mean many different things to different people.  For a large section of the 15-25 year-olds entering the programming world, hacking is a state of mind. To be a hacker is to apply an aggressive approach to attempting new things or to explore the unknown (or untested) with technology in the 21st century. Of course, you can be a “white hat” or “black hat” hacker (good guy or bad guy). 

 But where do hackers live and spend their time? Beyond Black Hat Conferences around the world, where do hackers congregate online? As security pros scan the world-wide-web for the good, the bad and the ugly, we come across information, tools and methods that the majority of people don’t know exist. The hacker hangouts discussed in this blog are not unethical or illegal, but in some cases, it’s difficult to see how some of the materials could be used for good. READ MORE