By Brian Lozada
In this four-part series CISO Brian Lozada examines the state of cybersecurity in our nation’s critical infrastructure, what is at risk, what makes it unique, and what measures can be taken to bolster its safeguards. Part One:
As technology continues to advance, so does the potential for increased cyber threats against our nation’s critical infrastructure. Unlike physical warfare, the distance between the attackers and the victims is irrelevant in cyber attacks, thus creating a bigger threat that proves even more difficult to identify, prevent, respond to, and recover from.
The potential for an actual cyber war is being realized with the idea that violent extremist groups and nation-states can partner together and be just as destructive as the terrorist attacks of 9/11. Former U.S. Secretary of Defense Leon Panetta, noted: “the collective result of these kinds of attacks could be a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life” (as cited in Osawa, 2013).
By Pritesh Parekh
Zuora VP & CSO
In today’s Internet of Things (IoT) world, every device can communicate and be connected to the Internet - from your refrigerator to your lights and cars. IoT’s glitter is often dimmed by legitimate security concerns.
Just as the power of this new technology can make our lives easier and immensely more delightful, IoT put into the wrong hands could lead to very undesirable results. Fortunately, there are principles to be applied that can mitigate risk in our highly connected world.
It seems the security spotlight has been solely focused on data breaches and the resultant loss of privacy and risk of identity theft, but what about the physical and in some cases life-threatening risks at play?
By Paul Calatayud
Over the past few years, there has been an uptick in cybercrime on a mass scale, with hackers gaining access to personal information of millions of people. Breaches at well-known, successful companies such as Target and Home Depot make national news.
In more recent years, healthcare organizations are increasingly becoming the target of cyber-attacks. The threat of information leaking and security vulnerabilities are undeniable, advancing the need for strong leadership to help manage security initiatives and ensure companies are safeguarding valuable customer data.
This is where a chief information security officer (CISO) steps in -- to maintain processes across an organization to minimize IT security risks. Below I share my perspective on the evolving role as Surescripts’ security chief and how the position can and must fit into the organization’s overarching leadership framework.
By Daniel Conroy
Synchrony Financial CISO
Things were simpler in the past. I know we hear that sometimes and to a certain degree this is true. It is also true that he who forgets the past is doomed to repeat it. In the world of information security (IS), both adages apply.
Back in ancient history – in this case the 1980s (ancient in terms of IT evolution) – information security was an afterthought. The focus was on building “simple” networks with business enablement and functionality as the primary concerns. Back in those early days, hacking was more of a hobby than a malicious activity.
Those of us old enough to remember the movie WarGames will note its stark warning of how quickly things can unintentionally escalate. The first “simple” computer viruses began to emerge at this time as well. During the 1990s, we started to see more advanced network-aware code with the potential to cause real disruption.
By John J. Masserini
MIAX Options CSO
In Parts I and 2 of the series I gave you some food for thought about getting your message out there in a clean, crisp, and concise way and I took you on a trip to the magical and mystical island of InfoSec Land. In part 3, we are going to take a look at the technology challenges in enterprise environments that many vendors overlook.
An Open Letter to Security Vendors – Part Three
There are three fundamental points that most startups – and many vendors in general – overlook when developing solutions and tool suites. You may have come up with a great solution to a problem, or a new, cutting edge way to analyze network traffic, or some other way to address the risk in my environment. However, what you really need to remember when you think about your solution set is this:
It’s disruptive, it’s complex, and it’s operationally intensive.
I’ve seen a lot of potentially amazing products fall by the wayside because the product teams had forgotten about one of these three facts. There is an old AppDev adage that goes something like “We can do it fast, we can do it good, and we can do it cheap…. pick two.”
Unfortunately, too many product teams fail to realize this adage doesn't suffice in the security realm. While most of us hardly expect to drop a solution into our infrastructure and expect perfection (regardless of what the marketing types say), we do expect some consideration to be given to how we are going to live with your solution for years to come. I’m not buying a pen test that I can find someone else to do next year; I’m putting in a solution that will likely hit end-of-life in my data center.
Let's take each point one by one.
Will the next war be fought with bullets or mouse clicks?
Lendmark Financial Services VP of Information Security on Priorities when Starting a New Job
By Farhaad Nero
Bank of Tokyo-Mitsubishi UFJ, Ltd.
As a CISO or an executive responsible for the Information Security organization at your company, one thing that you ought to keep in real focus is the Silo Effect. Be conscious of it, work against it, and prevent it from derailing your vision and longevity!
So what is the Silo Effect? It’s when departments do not wish to share information with others in the same company. Of course, all of us understand why this may be the case and all of us also understand the effects of this stand.
But I would like to stretch the usual definition a bit further. I would like to include when lack of resources, time, and transparency forces us to operate in such a way - yes, a conscious decision or an unconscious decision or both!
How do you know if you’re operating in a silo? Click here to read about some situations to consider:
By Tim Kropp
Financial Sector Deputy CISO
Internet of Things (IoT) means everything is potentially connected everywhere and with everyone. Assume it is all compromised.
As the volume of IoT grows, we should better understand the implications a bunch of tiny powerful computers connecting to each other brings with them. These devices need the same strong attention we are placing on smartphones, laptops, servers, and services.
Among the IoT devices are routers, thermostats, refrigerators, and automobiles. Routers are particularly unnerving, as they have gotten a lot smarter and are extremely capable. They are also a perfect place to sit, wait, and watch. If you have time, read Coding Horror’s Blog post on this topic.