Businesses are losing patience with IT at the worst possible time: just when companies are becoming more aware of enterprise risk.
An observation from the global financial crisis is that organisations with a weak risk culture can experience extensive or even catastrophic damage. Significant investment in risk management people, processes and technology is only part of a sound business risk environment. The key component is the risk culture.
"It will take a massive incident for our company to wake up to itself!" How often do you hear that in the information security industry? All the time -- so what generally happens when things go horribly wrong after the "incident" occurs?
Even in the face of costly and embarrassing corporate security breaches, one in four companies fails to conduct any IT risk assessment. And 42% say there are areas of their information technology audit plans that cannot be addressed because of a lack of resources and expertise.
Information security governance should not be treated like corporate governance, IT security steering committees must have the right stakeholders and the board can remain largely unaware of security issues. Those are key strategies for effective security governance, says IT security and assurance manager at Sydney Water, Stephen Frede.
Amit Yoran was the Department of Homeland Security's first director of the National Cyber Security Division of the Information Analysis and Infrastructure Protection office. But by September 2004 he was frustrated by what he saw as a lack of concern and commitment to Internet security. So he quit his post.
Social networking and cloud computing threats abound, our annual Global Information Security Survey finds, making information security important once again to business leaders.
Security researchers are warning that Web-based applications are increasing the risk of identity theft or losing personal data more than ever before.
It seems like a question ripped from the back of a cheap sci-fi novel: What happens when the robots are turned against us?
We keep hearing about Denial of Service attacks, and how they can bring large organisations to a standstill, yet do we really understand the full range of events that the term encompasses? What does make up a DoS (or distributed DoS) attack, how it is done, and what can you do to prevent it happening to you?
Looking through the holidays into 2010 there are four clear priorities for risk management that cut across all tiers with financial institutions. Over the last year the pendulum has swung from the exotic to the pragmatic, from chaos to order within financial services. The four priorities for risk in 2010 can be derived from the word D.A.T.A.(data, analysis, transparency, accuracy).
Consultant and author Mike Ackerman's 10 counterterrorism principles for business.
Two experts break down critical considerations in merger and acquisition activity.
The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground?
In the first column of this year, I discussed computer security outlook and hopes for 2008. I forecast more of the same that we saw in 2007: more spam, more malware, more bad guys basically owning the Internet and our connected computers. I don't see any trends or new leaders with significant power to change the status quo.
Sign up now »
Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).
- Have an incident response plan.
- Pre-define your incident response team
- Define your approach: watch and learn or contain and recover.
- Pre-distribute call cards.
- Forensic and incident response data capture.
- Get your users on-side.
- Know how to report crimes and engage law enforcement.
- Practice makes perfect.
I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.