Security

What Would Bobby Fischer Do? Taking a Cybersecurity Lesson from a Chess Master

By |May 7th, 2015|Categories: Technology|Tags: , , |Comments Off on What Would Bobby Fischer Do? Taking a Cybersecurity Lesson from a Chess Master

There’s a great expression that those of you who study chess will be familiar with. A Master will often tell a student to “look at the whole board,” but this instruction is not to be taken literally. It means that the student needs to consider several things: One, the potential impact of all the moves that have been played; two, all the potential moves they can anticipate making through the end of the game, and three, all the moves they can anticipate their opponent making. A small expression to describe a herculean task! Now, although this saying could be applied to many situations, a chess game is far easier to conquer than, say, cybersecurity because you have one opponent and can study his strategy. In the realm of cybersecurity, however, your opponents are legion and their weapons are many.

Protecting your digital assets is very much like looking at the whole board. A proper defense is not just one thing, but comprises a systematic construct of what you know (past events, known best practices, proven strategies), what measures you plan on putting in place, and the anticipation of what your adversaries might try to do.  This would be augmented by an endless cascade of if/then planning and dry runs to prepare for an attack.

A security program should not be static but a living, breathing thing that is ever-changing based upon the observations you make and information you gather. It is a series of defenses and actions premised on what your opponent is doing to others, and perhaps will do to you. For this reason, technology alone won’t guarantee success. While best practices around firewalls, protection systems, network configurations, passwords and processes is essential, people—as in
[ Read More ]

Are you too focused on the technical aspects of cyber security?

By |April 23rd, 2015|Categories: Security Awareness|Tags: , , , , |Comments Off on Are you too focused on the technical aspects of cyber security?

When someone mentions information security, invariably thoughts go to technical aspects such as firewalls, routers, wireless access points and how to set those devices up—or to physical aspects such as locks, security guards and fences. These are the technical and physical controls that usually comprise our understanding of how to achieve the best level of security possible. But controls for information security fall into three main categories: the physical and technical—which we’ve already described—and the administrative, which often receives short shrift. Why?

My guess is that administrative controls are considered “soft,” focusing on management and training, and it’s pretty enticing to think that technical controls and physical controls will suffice for cyber security defense. Not a good idea, says Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products in a recent issue of Computer World.

“…businesses and government agencies often focus on the next “silver bullet” product, unaware that most cybersecurity problems stem from flawed procedures and human error…invest in your people and process.”

In the broader world of business, success depends on the correct balance of the three main pillars: people, process, and technology. Within information security, are we creating a three-legged stool with one leg (technology) longer than the others? That can’t be good. Technology is an important piece of your arsenal, but insufficient by itself. Having sound policies, defining clear role-based processes and procedures, and providing communications and training for key stakeholders (which may include every employee) will create balance for the three-legged stool of information security. Policies and processes might sound like management overhead, but any organization desiring to provide consistent goods and services must have consistently applied policies and processes—i.e., CMMI, but that’s a topic for another
[ Read More ]

CIOs—Unsung Heroes

By |March 25th, 2015|Categories: security|Tags: , , , , , , , , , |Comments Off on CIOs—Unsung Heroes

In my 35+ years of being a corporate change agent, and now at the helm of my own consultancy, I have worked with all levels of the C-suite, and I have to say the CIO role is by far the most difficult. There are numerous reasons for this, not the least of which is an outdated model of the C-suite itself.

The fact is that most companies still view IT and the CIO role through the narrow lens of providing technology-based services; they have not broadened that view to take into account the stunning changes wrought by digital technology. IT is no longer simply responsible for building, operating, and maintaining infrastructure; it’s responsible for data governance, driving growth through data analytics, cyber security, connectivity and integration. However, since most organizations are peering through the old lens of IT-as-service-provider, they are blind to IT as a revenue-producer. The irony here is that Sales, Marketing, R&D, Finance, and HR—those typically considered revenue-producing—are only able to do what they do because of IT and IT’s ability to stay ahead of the curve.

According to a recent IBM study of 4,100 C-suite executives, only 42% of CIOs were involved in strategy, as opposed to 72% for CFOs and 63% for CMOs. This is puzzling. Since IT touches everything, the CIO has an enterprise-wide vision that would be invaluable in integrating an enterprise-wide strategy. Luckily, the IBM study suggests that this is turning around—the CIO is soon going to be considered one of the C-suite “triumvirate,”: CEO, CIO, CMO.

Another reason the CIO role is more difficult than most is that it bears sole responsibility for ensuring business continuity through critical service level agreements that define uptime, availability and redundancy.
[ Read More ]