Top IT Security Bloggers

Network World - Networking Nuggets and Security Snippets
  • Why CISOs succeed and why they leave

    Network World - Networking Nuggets and Security Snippets
    Earlier this year, ESG and the Information Systems Security Association (ISSA) published a research report titled, The State of Cyber Security Careers. The report was based on a survey of 437 cybersecurity professionals, the clear majority of which were ISSA members.Two-thirds of these cybersecurity professionals worked at an organization that employed a CSO or CISO. These individuals were then asked to identify the most important qualities that make a successful CISO. Here is a sample of the results:
    50% of respondents said strong leadership skills were most important
    47% of respondents said strong communication skills were most important
    30% of respondents said a strong relationship with business executives was most important
    29% of respondents said a strong relationship with the CIO and other members of the IT leadership team was most important
    23% of respondents said strong management skills were most important

    Based upon this list, it’s clear that successful CISOs need to be strong business people who can work with business and IT executives. This is an important consideration since many security professionals are deeply rooted in the technology rather than the business aspects of infosec.To read this article in full or to leave a comment, please click here
  • Trump Cybersecurity Do’s and Don’ts (Part 2)

    Network World - Networking Nuggets and Security Snippets
    Given recent cybersecurity incidents like the Google Android data breach, the DDoS attack on Dyn and the data breach of the DNC, President-elect Donald Trump will find cybersecurity policy a top priority when he takes office in January.What should Mr. Trump do and what should he avoid?  In my last blog, I presented some recommendations for the “do” column.  Alternatively, here is a list of things President Trump should eschew in his administration’s cybersecurity agenda.  The “don’t” column includes the following:
    Don’t obsess over cybersecurity intelligence sharing path.  Public/private partnerships for cybersecurity cooperation have roots that go back to the Clinton administration’s original PDD-63 for critical infrastructure protection.  In more recent times, congress struggled with CISPA then CISA as stand-alone bills before sneaking CISA into a federal spending bill in late 2015.  Intelligence sharing is a good step but it’s been beaten to death and most large organizations have figured this out on their own.  What’s needed is a concerted effort on best practices and sharing threat intelligence with small businesses.  Yes, these things should happen but the feds should do so as part of CISA and not spin up another distracting effort.  Remember that threat intelligence sharing is a means to an end (i.e. better cybersecurity visibility and analysis) and not an end in itself.
    Don’t propose yet another blue-ribbon cybersecurity panel.  If Mr. Trump’s goal is to shake up Washington, the last thing he should do is appoint another blue-ribbon panel to study cybersecurity issues and provide recommendations – this action is on page one of every Beltway politician’s playbook.  As an alternative, Mr. Trump should appoint high-level cybersecurity experts to go through President Obama’s cybersecurity commission’s findings and suggestions (as well as other historical similar reports), tailor them to his political agenda, and push forward the appropriate actions with congress as soon as possible.    
    Don’t even think about giving national cybersecurity oversight to the military.  The few cybersecurity plans Mr. Trump camp talks about tend to include a military and intelligence component to them.  This is fine when it comes to offensive operations and U.S. Cyber Command but it gets a little scary with regard to civilian agencies and the private sector.  There are those at the Pentagon that will push for this by equating cybersecurity with national security but with all due respect to the military, Mr. Trump must absolutely follow the lead of past President’s and draw a clear line between military and civilian cybersecurity involvement.  In truth, ANY military, law enforcement, or intelligence involvement in private sector and consumer cybersecurity programs will turn into an all-consuming political and technology civil war with Republicans and Democrats alike will pushing back.   This unnecessary fight must be avoided as it could halt federal cybersecurity progress for months or years. 
    Don’t push for a new federal cybersecurity agency.  Since the military can’t be involved in private sector cybersecurity, many responsibilities fall to DHS, a massive bureaucracy that hasn’t had a strong record of success with its cybersecurity programs.  Some in Washington see this as a reason to create yet another civilian agency, a department of national cybersecurity.  While it may be tempting to consolidate cybersecurity responsibilities, it would be extremely difficult to unwind cybersecurity from DHS and every other nook and cranny in the greater DC area.  This shouldn’t mean however that the Trump administration should live with an understaffed and under-skilled DHS steering the cybersecurity ship.  As I mentioned in my last blog, Mr. Trump needs a skilled government insider to help streamline federal cybersecurity oversight, , cut Washington fat, and create a model that empowers DHS with the right resources and programs. 
    Don’t mess with encryption.  This piece of advice is in the same neighborhood as one of my previous ones.  Mr. Trump blasted Apple after the San Bernardino terrorist attacks and may be sweet-talked by intelligence and law enforcement insiders to push further for encryption loopholes for government surveillance.  Once again this will only alienate the technology industry, privacy advocates, and half the population.  Besides, bad guys will simply avoid U.S. technology and use open source or foreign alternatives.  President Clinton pushed a similar agenda with the Clipper Chip in the 1990s.  It failed miserably and there’s no reason to believe that Clipper 2.0 would be any different.  
    Don’t rule out regulation.  I realize that Mr. Trump was elected with a promise of cutting federal regulations but he should still be careful not to issue a George H.W. Bush-like proclamation (i.e. “read my lips, no new taxes”) that he will never change this position.  For example, IoT vendors may continue to sell network-ready devices built on top of vulnerable software and default passwords leading to a wave of DDoS events a la the Dyn/Mirai attack this past October.  Mr. Trump may find that the best way to improve IoT security is with some type of UL-like requirement for software.  Mr. Trump should understand that you never say never with cybersecurity.    

    Finally, I’d suggest Mr. Trump to think hard about becoming trigger happy with offensive cybersecurity operations.  Remember that the U.S. is more vulnerable than just about anyone else and no one will be happy with the administration if the power goes out in NYC for months. To read this article in full or to leave a comment, please click here
  • Trump cybersecurity dos and don’ts

    Network World - Networking Nuggets and Security Snippets
    President-elect Donald Trump ran a campaign focused on national security and making America great again through economic reform. Clearly both goals should include policies and programs to bolster the nation’s cybersecurity capabilities. This shouldn’t be an abstract concept to Mr. Trump after an election cycle featuring Russian hacks and WikiLeaks posts. To reinforce this priority, it is also worth noting that in a pre-election survey by ESG research, 49 percent of cybersecurity professionals said cybersecurity is a critical issue and should be the top national security priority for the next President, while 45 percent said cybersecurity is a very important issue and should be one of the top national security priorities for the next President. If those citizens on the front line see cybersecurity as a major priority, this should speak volumes to the President-elect. To read this article in full or to leave a comment, please click here
  • Goodbye SIEM, hello SOAPA

    Network World - Networking Nuggets and Security Snippets
    Security Information and Event Management (SIEM) systems have been around for a dozen years or so. During that timeframe, SIEMs evolved from perimeter security event correlation tools to GRC platforms to security analytics systems. Early vendors such as eSecurity, GuardedNet, Intellitactics and NetForensics are distant memories. Today’s SIEM market is now dominated by a few leaders: LogRhythm, McAfee (aka: Nitro Security), HP (aka: ArcSight), IBM (aka: QRadar) and Splunk.Of course, there is a community of innovative upstarts that believe SIEM is a legacy technology. They proclaim that log management and event correlation can’t keep up with the pace of cybersecurity today, thus you need new technologies such as artificial intelligence, machine learning algorithms and neural networks to consume, process, and analyze security data in real time. To read this article in full or to leave a comment, please click here
  • Which Job-Related Factors Alienate Cybersecurity Pros?

    Network World - Networking Nuggets and Security Snippets
    When it comes to cybersecurity jobs, it is truly a seller’s market.  According to ESG research published early this year, 46% of organizations report a problematic shortage of cybersecurity skills (note: I am an ESG employee).  Additionally, a more recent research report from ESG and the Information Systems Security Association (ISSA) indicates that 46% of cybersecurity professionals are solicited by recruiters to consider another job at least once each week!The data indicates that there aren’t enough cybersecurity professionals around and those that are employed are in high demand.  This puts a lot of pressure on CISOs and human resources people to make sure to keep their existing cybersecurity staff happy so they don’t walk out the door when they are barraged by headhunters’ calls. To read this article in full or to leave a comment, please click here
  • Trump remains frighteningly behind in cybersecurity

    Network World - Networking Nuggets and Security Snippets
    As we move into 2017, cybersecurity concerns continue to escalate. This past few months, we’ve seen some scary incidents, such as the Oct. 21 distributed denial of service (DDoS) attack on the DNS services at Dyn that used IoT devices like home routers and cameras as a botnet. Oh, and the last few months of the U.S. presidential election featured data breaches of the DNC and Clinton campaign manager John Podesta’s email and the subsequent posting of this information on WikiLeaks.It's pretty alarming, and it doesn’t appear things will get better anytime soon. This begs the question: What type of cybersecurity response can we expect from President Donald Trump’s administration? To read this article in full or to leave a comment, please click here
  • Goodbye, NAC. Hello, software-defined perimeter

    Network World - Networking Nuggets and Security Snippets
    Those of us who’ve been around security technology for a while will remember the prodigious rise of network access control (NAC) around 2006. Now, the ideas around NAC had been around for several years beforehand, but 2006 gave us Cisco’s network admission control (aka Cisco NAC), Microsoft’s network access protection (NAP) and then a whole bunch of venture-backed NAC startups (ConSentry, Lockdown Networks, Mirage Networks, etc.).There were lots of reasons why the industry was gaga over NAC at the time, but it really came down to two major factors:
    Broad adoption of WLANs. In 2006, wireless networking based upon 802.11 was transforming from a novelty to the preferred technology for network access.  I also believe laptop sales first overtook desktop computer sales around this same timeframe, so mobility was becoming an IT staple as well. Many organizations wanted a combination of NAC and 802.1X so they could implement access policies and monitor who was accessing the network.
    A wave of internet worms. The early 2000s produced a steady progression of internet worms, including Code Red (2001), Nimda (2001), SQL Slammer (2003), Blaster (2003), Bagel (2004), Sasser (2004), Zotob (2005), etc. These worms could easily spread across an entire enterprise network from a single PC as soon as a user logged on. NAC was seen as a solution to this problem by providing point-to-point PC inspection and authentication over Layer 2 before systems were granted Layer 3 network access.

    NAC really was a good idea, but the space was over invested and many of the products were difficult to deploy and manage. As a result, NAC enthusiasm faded, although NAC deployment was making slow but steady progress. As NAC became a niche product, it lost its panache. Heck, my friends at Gartner even killed the NAC MQ when there were few vendors left and not much to write about.To read this article in full or to leave a comment, please click here
  • Election Data Models Lesson for Cybersecurity

    Network World - Networking Nuggets and Security Snippets
    If you are like me, you were pretty convinced that Secretary Clinton was poised to be the President elect.  Confidence in this opinion was based on reviewing numerous big data analytics models from the fivethirtyeight.com, the New York Times, Princeton, etc.  The lowest percentage gave Mrs. Clinton roughly a 65% chance of winning on November 8. So, what happened?  Every database jockey recognizes the old maxim of garbage in/garbage out.  In other words, killer algorithms and all the processing power in the world are rather useless if your model is built on the back of crappy data.  Obviously, all the brainiacs building these models made a critical mistake in not gathering data from disenfranchised white voters in rural areas.  The result?  A stunning election result and lots of eggs on ivy league elitist faces.To read this article in full or to leave a comment, please click here
  • The scary state of the cybersecurity profession

    Network World - Networking Nuggets and Security Snippets
    Most discussions about cybersecurity tend to go right to technology, and these days they usually start with the words “next generation” as in next-generation firewalls, IPS, endpoint security, etc. I get it, since innovative technology is sexy, but it’s important to realize that skilled cybersecurity professionals anchor cybersecurity best practices.  We depend on actual people to configure controls, sort through data minutiae to detect problems, and remediate issues in a timely manner.+ Also on Network World: Recruiting and retaining cybersecurity talent +
    Since these folks protect all our digital assets daily, it’s only natural that we’d be curious as to how they are doing. To measure these feelings, ESG teamed up with the Information Systems Security Association (ISSA) and conducted a survey of 437 global cybersecurity professionals. This project resulted in a recently published research report. To read this article in full or to leave a comment, please click here
  • Cybersecurity: A Priority for Next POTUS

    Network World - Networking Nuggets and Security Snippets
    When the two major presidential candidates haven’t been focused on each other’s personal behavior or legal imbroglios, they’ve tended to discuss a few major issues such as health care, immigration reform, or battling terrorism. Yes, these are critical topics but what about cybersecurity?  After all, this very campaign has featured nation state hacking, email theft, and embarrassing email disclosures from egomaniac Julian Assange and WikiLeaks. Alas, each candidate has been relatively silent about cybersecurity threats, national vulnerabilities, or what they plan to do to bridge this gap.  Secretary Clinton’s policies look a lot like President Obama’s Cybersecurity National Action Plan (CNAP) but add a national security component due to her personal experience with state sponsored hacks of the DNC and John Podesta.  Donald Trump seemed completely ignorant about cybersecurity issues (remember “the cyber” comments and his rant about his 10-year-old son’s computer skills?), but has since come up with some pedestrian cybersecurity policy objectives. To read this article in full or to leave a comment, please click here

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Latest Videos

More videos

Blog Posts

Media Release

More media release