Stories by: Sarah D. Scalet

From AT&T's Global Network Operations Center 40 miles west of New York City, CISO Ed Amoroso has as wide a window into the Internet as anyone. With a glance at a two-story wall covered with computer monitors and television screens, Amoroso can tell at any given moment how much e-mail, Web and voice-over-IP traffic is streaming across AT&T's data networks, buzzing its way from business to business, person to person.

By the end of 2006, U.S. banks were supposed to have implemented "strong authentication" for online banking--in other words, they needed to put something besides a user name and password in between any old Internet user and all the money in a customer's banking account.

How do you run a responsible investigation, one that's done not only in a legal and ethical way (of course that's a prerequisite) but that's also effective?

It was late August, and depending on whom you asked, MySpace was either a Web 2.0 prophet or the devil gone digital. While the business world was reading about the social networking site's US$900 million deal with Google, its expansion into Australia and its mention on Time's list of the 50 coolest websites, the security community was riveted by a different set of headlines. "Two teens arrested in MySpace hack," read one. "Three teens accused of sexually assaulting girl they met on MySpace.com," read another. A third: "Man accused of raping MySpace date."

When Hewlett-Packard's overzealous investigation into boardroom leaks hit the news last year, many people were shocked -- shocked! -- to hear that the tech giant may have hired third-party investigators to go through individuals' trash. In fact, Dumpster diving is a favorite technique of investigators, and depending on the circumstances -- such as local laws and whether trash pickup occurs on public property -- it is often legal.

A tabletop exercise is a great way to get business continuity off the written page without the interruption of a full-scale drill. Rather than actually simulating a disaster, the crisis management group gathers for three hours to talk through a simulated disaster.

A good password is a system for creating codes that are easy to remember but hard to crack. Here's a set of guidelines:

Sure, you're thinking, records retention can be deadly. Deadly dull

Whether you're charged with preventing hacks, protecting assets, stopping fraud or defending trademarks, Google and other search engines present a new mix of risks for everybody in the security game

CISOs at midsize businesses face many of the same problems as CISOs at larger companies, but with a lot fewer resources. What they've learned can help any CISO get by on less.

Protecting data is not just a job for technologists. It also takes physical security and business continuity experts.