By Chris Carpenter
Security Director, Office of the Secretary of Defense
The recent (Office of Personnel Management) OPM breach may be the largest breach of Federal records ever.
Current estimates range anywhere from 4 – 32 million personal records compromised. It has the attention of Congress and the nation as a whole. One of the key questions being asked is the one that is always asked, “How did you let this happen?"
The answers currently being provided are not very satisfying to many but it’s really not an easy question.
There has been a lot of focus on why OPM did not have better protective measures in place to prevent a breach like this from happening. The OPM response has been they don’t know if they could have prevented it.
By Joel Rosenblatt
The story about the Office of Personnel Management getting hacked this week was, unfortunately, not a big surprise to anyone in the security world.
How it got hacked, by phishing, was something that anyone who has been in the security field for any length of time could have predicted.
What comes as a surprise to me (and, it really shouldn’t have) was the news this morning that in addition to anyone who works for the government, and people who used to work for the government, the hackers also were able to collect the information on people who merely applied to work for the government.
This last group, in my opinion, represents the real problem with how we treat data collection today.
My rule on data is you can’t lose what you don’t have. Never save data that you do not have a good business reason to save. This rule was clearly violated in the OPM case.
By Farhaad Nero
Do you know how Merriam-Webster defines vacation?
Believe it or not – this is what it says:
- A period of time that a person spends away from home, school, or business usually in order to relax or travel
- The number of days or hours per year for which an employer agrees to pay workers while they are not working
In this connected digital age, things certainly seemed to have changed.
As Elon Musk once said, “I'd like to dial it back 5% or 10% and try to have a vacation that's not just email with a view.”
Stand up. Pause. Take a deep breath. Say aloud so you can hear yourself, “I really deserve a vacation!”
Doesn’t that feel good?
Now you can sit.
By David Sheidlower
A CISOs Guide to Principles of Data Privacy and Security examines the key issues surrounding data privacy and security.
In this eBook, Sheidlower, currently CISO of an international media and advertising firm, provides his perspective on topics, which include privacy policies, big data, consent, governance and security.
According to the author: “The fundamental principles of privacy and security continue to evolve. I’ve tried to look into each of them from the consent process, which most people find problematic, to the need for a framework for data protection, which is where an organization’s security program comes in.”
The eBook has been lauded by Sheidlower’s peers, with Larry Whiteside Jr., CISO of the Lower Colorado River Authority (LCRA), stating: “It provides thought provoking and actionable information on issues that are top of mind for us – data privacy and security. I highly recommend reading it.”
By Daniel Conroy
Synchrony Financial CISO
As a CISO, I am often asked, “What is the key component to the success of an Information Security organization?” Too often, we dwell on the failures or gaps, and it is important to recognize where these faults lie in order to enhance the program’s capabilities.
But when things are “working,” it is easy to become complacent. When a properly planned and managed component protects the firm, in many cases, accolades are not offered.
In the current information security landscape, there are many moving parts that need to work seamlessly to ensure the protection of company assets, maintain compliance and continually evolve to address new challenges.
Vulnerability and threat management, security operations, assurance, data loss prevention, intrusion detection and prevention as well as metrics and reporting, comprise some, but not all, aspects of a successful information security organization.
A practitioners tips on being a successful leader
Sharing information on cyber threats
Are technical audits effective?
Vic Wheatman Speaks with Gartner's Dr. Anton Chuvakin
Many security policies are aspirations, doomed to fail because they are unrealistic. Not only can they be unachievable, but may in fact encourage people to disregard policies because, after all, "we can't really do that."
Further, enterprises may not be able to collect on cyber insurance policy payouts because they didn't meet their own, internal standards. These and other issues surrounding information security policies are discussed in this conversation between Security Current's Vic Wheatman and Gartner Rearch VP Dr. Anton Chuvakin.
By Daniel Solove
What is privacy? This is a central question to answer, because a conception of privacy underpins every attempt to address it and protect it.
Every court that holds that something is or isn't privacy is basing its decision on a conception of privacy -- often unstated.
Privacy laws are also based on a conception of privacy, which informs what things the laws protect. Decisions involving privacy by design also involve a conception of privacy. When privacy is "baked into" products and services, there must be some understanding of what is being baked in.