Understanding Intelligence

It is obvious that cyber security will continue to play an important part in national security. But as a Washington outsider, it is difficult to see inside government policies and organizations that are responsible for this security. Michael Hayden has taken a significant step in providing this insight through his recent book, Playing to the Edge (2016). Mr. Hayden served as both the Director of the NSA and the CIA and is a retired four star Air Force general. A great aspect of the book is that Mr. Hayden wrote it himself, apparently without a ghost writer. So readers get the best insight into government intelligence that can pass a classification review.The years covered comprised turbulent times, including: the 9/11 attack; the build up of NSA monitoring; the Snowden leaks; and the CIA alleged torture incidents. No shortage of controversy here! Three points stood out for me. First, the real brilliance and leadership of Mr. Hayden in the many roles he assumed. Second the g...
Read more

Align Your Security Program With the Business

Information security used to be part of IT. That has changed recently; security now needs to be independently aligned with the business operations, not just IT operations. The PCI SSC calls this "Business as Usual" (BAU). NIST CSF talks about aligning cybersecurity requirements with business activities. I call this process information security governance and maintain a CSO Online blog on this topic. For a recent post on an approach to alignment between security and the business, go here....
Read more

Don’t fall victim to BEC

Business Email Compromise (BEC) continues to be one of the most successful information security attack vectors. Criminals steal email addresses and passwords of C level executives and then use this information to initiate fraudulent financial transfers from the executive's employer to the criminal's bank account. In this process the executive's home network is also vulnerable. It will likely contain sensitive information, including business account information. I discussed this risk and recommended solutions in my webinar "Cybersecurity Tips for High Net Worth Individuals and Small Businesses" last February, now posted on LinkedIn here.Two new books cover the topic in more detail. I recommend both to security practitioners. The first is Cybersecurity: Home and Small Business, by Raef Meeuwisse. The second is Small Business Cyber Security, by Adam Anderson and Tom Gilkeson. Both books adapt the NIST CSF to the home and small business environment. They will help you keep your c...
Read more

Enterprise Risk Management and Information Security

Enterprise Risk Management (ERM) has been around at least since the days of the Trojan Horse. Information security risk management can learn much from ERM and avoid reinventing the wheel. The National Association of Corporate Directors (NACD) made this clear in the 2014 handbook Cyber Risk Oversight. Principle #1 is to approach cybersecurity as an enterprise wide risk management issue. For updated observations on ERM and information security, go to my CSO Online blog post "Don't be the next Humpty Dumpty"....
Read more