Working in information security for the past 20 years, I have seen a lot. Though there have been many multi-million dollar impact breaches, the recent Sony Pictures hack and subsequent data exposure and extortion is probably the most impactful to a company out of the previous breaches this year.
When I started out in security, only very large organizations with a mature set of business processes dared to talk about implementing some form of governance, risk, and compliance (GRC) or enterprise program (e-GRC). They generally did it in an attempt to get ISO or similar certification, or to “move their programs to the next level,” and some, I think, attempted it just to prove they did it. Many of those efforts were monumental, costing millions of dollars and taking years to complete. However, a significant number seemed to end in compromise, yielding a smaller end result or totally failing after thousands of man hours and millions of dollars for software, systems, and consulting had been spent.
There is no disagreement that the current mag-stripe technology used in the USA and other countries outside of the EU is antiquated and lends itself to fraud. The data is easily copied using various methods from manual card data copying and shoulder surfing, to database compromise and POS terminal malware. Cards can be reproduced with off-the-shelf plastic blanks and a simple machine you can buy on the Internet.
This week, Las Vegas hosted some 3500 people at the MGM Grand to mark Splunk .conf14, the annual user gathering for Splunk customers, referred to as “Splunkers”. For those of you not in the tech industry, spelunking, or the act of exploring caves, may come to mind. The theme of the conference was not cave exploration, but data exploration; however, the analogy of cave exploration actually aligns very well. “Splunkers” are diving into their data, delving deep into places that many have never explored before. Each of them finding new and cool ways to use the data that they have been collecting for years, just-in-case they ever needed it.
What’s the issue with BYOD? Data Control… What’s the issue with Data Sharing? Data Control!
I see a significant gap in not only how the need for Security Awareness training is perceived as needed but also in the general quality of the programs and training delivered vs other types of training. In many cases small companies avoid security awareness training due to ignorance, cost fears, or fears it will stifle their culture of creativity. This research project is structured to give CIO’s, CISO’s, and other security and IT managers the data to motivate them to provide in security awareness training programs thereby bringing about change in their organizations.
Discovering, capturing and making sense of complex interdependencies is central to running IT organizations more effectively, and it is also a critical part of running the businesses IT serves. Whether it’s optimizing a network, or an application infrastructure, managing change, or providing more effective security-related access—more often than not these problems involve a complex set [...]