The First National Cybersecurity Summit

On July 31, 2018 I attended the first National Cybersecurity Summit at the US Customs House in lower Manhattan. The building itself was constructed around 1902 1907 in order to collect tariffs. Teddy Roosevelt was President and tariffs were a subject of divisive national debate. Global issues were still in ... Read More
New Privacy Laws Require Security Professionals Up Their Game

New Privacy Laws Require Security Professionals Up Their Game

Two recent privacy laws GDPR and the California Consumer Privacy Act (AB 375) focus more attention on protecting digital privacy of individuals. Both laws will require that security professional up their game. In this post I will cover some of the security implications of AB 375. Gone are the days ... Read More

Cybersecurity Workforce Development: Real or Imagined Problem?

Yesterday DHS and the Commerce Department released their most recent workforce report Supporting the Growth and Sustainment of the Nation s Cybersecurity Workforce . The report was commissioned by the Trump administration in May 2017. Having studied this issue from roles in academia, private industry and government, I thought I ... Read More
Antidote for Fake Everything

Antidote for Fake Everything

In this digital era, anything can be faked; followers, news, experts, emails and so on. The possibilities are limited only by the imagination of the faker. It turns out that these issues were addressed back in 1996, by Carl Sagan, the world famous astronomer. His context was UFO s, but ... Read More
Information Security Risks, Gray Rhinos and Black Swans

Information Security Risks, Gray Rhinos and Black Swans

Information security over the past few years has been obsessed with zero day vulnerabilities, hacking exploits and headline making mega breaches. Every security risk manager is looking for the unknown unknowns that could result in untimely unemployment. But is that the right approach? One presentation and one book made me ... Read More

Understanding Intelligence

It is obvious that cyber security will continue to play an important part in national security. But as a Washington outsider, it is difficult to see inside government policies and organizations that are responsible for this security. Michael Hayden has taken a significant step in providing this insight through his ... Read More

Align Your Security Program With the Business

| | Connecting the Dots
Information security used to be part of IT. That has changed recently; security now needs to be independently aligned with the business operations, not just IT operations. The PCI SSC calls this "Business as Usual" (BAU). NIST CSF talks about aligning cybersecurity requirements with business activities. I call this process ... Read More

Don’t fall victim to BEC

| | Connecting the Dots
Business Email Compromise (BEC) continues to be one of the most successful information security attack vectors. Criminals steal email addresses and passwords of C level executives and then use this information to initiate fraudulent financial transfers from the executive's employer to the criminal's bank account. In this process the executive's ... Read More

Enterprise Risk Management and Information Security

| | Connecting the Dots
Enterprise Risk Management (ERM) has been around at least since the days of the Trojan Horse. Information security risk management can learn much from ERM and avoid reinventing the wheel. The National Association of Corporate Directors (NACD) made this clear in the 2014 handbook Cyber Risk Oversight. Principle #1 is ... Read More