twitter facebook rss

What makes a good CISO?

Posted by David Harley on July 9, 2016

David Harley photo

The role of the CISO is a little different to the stuff I usually post here, but my ESET colleague Stephen Cobb is currently running a research project, ‘a study of what it takes to be an effective manager of information system security for an organization.’ As part of the project, he’s running a survey, of which he […]

Professionalization: should infoSec professionalize?

Posted by Kevin on January 25, 2016

In the context of this discussion, ‘professionalization’ is the creation of a governing body for cyber security practitioners, much like the American Medical Association (AMA) was created to oversee medical professionals. For the sake of argument, we’ll call this putative professional security body the Cyber Security Association (CSA). The question – should infosec professionalize? – […]

CISA: will it be good or bad for security?

Posted by Kevin on December 29, 2015

The long title for CISA is, “To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” But not everyone thinks it actually will improve security. Top Takeaways More than 73% of CISOs think CISA will be bad for security The most prevalent view is that it […]

Hacking Back: Should Business Have the Right?

Posted by Kevin on December 27, 2015

It is a natural law that you can meet force with force in order to defend yourself. How far should this extend into the cyberworld: should hacking back be a legal right for private business? Top Takeaways CISOs will obey the rule of law and not hack back alone The involvement of law enforcement changes […]

Disclose: how soon after a breach should you disclose?

Posted by Kevin on December 23, 2015

The recent hack of the UK telecoms company TalkTalk highlights a vexing problem for CISOs: how quickly – and indeed to what extent – should you disclose a breach. Top Takeaways CISOs are not in favor of early breach disclosure Incident response plans should be in place before a breach Talk to counsel before disclosing […]

CISO View: Blocking Tor from the Enterprise

Posted by Kevin on November 18, 2015

The Onion Router (Tor) was designed to protect privacy and anonymity on the internet. However, it is increasingly being used by criminals to protect themselves and their endeavors. Last year Kaspersky Lab noted, “the cybercriminal element is growing… We found Zeus with Tor capabilities, then we detected ChewBacca and finally we analyzed the first Tor […]

Responding to Incidents and Preventing Crises

Posted by Kevin on October 28, 2015

The gradual realization that we cannot keep hackers out of our networks has led to the evolution of a new security concept: incident response. This states that equal emphasis should be placed on the response to a breach (or incident) as is currently placed on trying to prevent that breach. Part of this response can […]

The CISO and the thin ice syndrome

Posted by Kevin on October 16, 2015

FierceHealthIT magazine recently ran an article that commented, Almost half of C-level executives throughout all industries lack confidence in their chief information security officer (CISO), often viewing him or her as a scapegoat when data breaches occur, according to a recent survey. C-suite execs often see CISOs as cybersecurity scapegoats That resonates. Insights first came […]

CISO view: encryption backdoors

Posted by Kevin on October 5, 2015

A group of Chief Information Security Officers within Wisegate was asked for its views on encryption backdoors specifically for law enforcement. The response was an overwhelming rejection. no encryption should ever have a backdoor for anyone “today’s backdoor is tomorrow’s compromise” “if data is required, information can be subpoenaed or NSLs can be issued” Snowden’s […]

CISO view: DoJ vs Microsoft case

Posted by Kevin on October 3, 2015

In the DoJ vs Microsoft foreign emails case, we already know the law enforcement view; we already know the privacy activists’ view – and now we know the US security practitioners’ view. there is little, if any, support for the government against Microsoft there is some belief that it could affect trade for US internet […]