CIOs need to inculcate a blend of three skills - conceptual, technical and human skills, but most importantly the human skill, as they are the bridge between the top-level and the low-level management. -- Dr. Nityesh Bhatt, Associate Professor, Nirma Institute of ManagementSrc: CIOs need to champion human skills | CIOL News Reports
QOTD on CIO Skills
QOTD on Being Secure
You don't want to be the most secure place on earth-you want to be secure enough to make others a more attractive target (hackers are smart and lazy, too-they strive for the easy prey in most cases), and you want to be in business. Otherwise your security model stinks. -- Michael OberlaenderSrc: The Magic Triangle of IT Security | ComputerWorld
QOTD on Biometrics
The reality is that biometrics are a feel-good measure designed to give people the false impression that they are more secure than they were before, when in fact they are more at risk. Identity theft victims report that it can take three, five or more years to clean up the financial mess left after a stolen Social Security number. How long will it take to clean up a stolen fingerprint? -- George Tillmann, a former CIO, management consultant and the author of The Business-Oriented CIOSrc: The case against biometric identity theft protection | IDG.no
QOTD Schmidt on the Value of Data
Many businesses, governments and individuals are still unclear of the true value of data and where it resides and who has ownership is even less clear. We need to be better at controlling and managing data and understand the expectations of the data owners and providers. For example, if we give personal data to identify and validate ourselves – this data is only required for a short period of time and could then be destroyed. -- Professor Howard A. Schmidt, CISSP, president of ISF.Src: RSA Europe: Information Security and data value should be part of education and training | Infosecurity (UK)
QOTD on Banking Fraud
We don't need to know who's doing it, just what it looks like at an earlier phase, so we can alert our institutions and prepare them on what to look for. -- Doug Johnson, Senior Policy Analyst at the American Bankers Association.Src: Online Fraud: New Victims, New Approaches | BankInfoSecurity.com
QOTD on CIO as CSO+CPO
No one could credibly deny that IT has a significant responsibility for security and privacy, but care should be taken to distinguish enablement from execution. The fact is, IT alone cannot solve the problem. -- Ted DeZabala, author & national leader of the Security & Privacy Services practice at Deloitte & Touche LLP.The CIO as Chief Security/Privacy Officer | CIOInsight.com
QOTD on e-Spying
Modern-day espionage doesn't involve cloak and dagger anymore. It's all electronic. -- Tom Kellermann, Vice President at Core Security TechnologiesSrc: China Expands Cyberspying in U.S., Report Says | WSJ.com
QOTD - Schmidt on Current Laws
We still have 18th century laws looking at 21st century technologies – that needs to be changed. -- Howard Schmidt, ISF President & CEO.Src: RSA Europe: Two-factor authentication is worth nothing, says executive director, EEMA | Infosecurity (UK)
QOTD - Spafford on the security conundrum
No individual business is facing huge losses necessarily, but collectively we are facing just unimaginable losses, but nobody is willing to pay the cost up front for what is necessary to solve the problem in the longer term.Src: The State of Information Assurance Education 2009: Prof. Eugene Spafford, Pursue University
The problem is that we generally only respond to crisis. And the kinds of problems that we are seeing in the whole information security arena is not a spot crisis; it is a growing community problem. So when we are talking tens of billions of dollars of loss every year in intellectual property theft, fraud, unnecessary or over-expenditure on security goods and services, and various other kinds of problems, that cost is not borne by any single entity, but it is borne by everyone. This results in a huge friction on the economy. It is definitely a loss to society. But no one feels it enough that they are willing to make the investment and the sacrifices to move forward. The government might play a role in this, and one way would be to phase in some liability on operators and vendors for obviously making poor choices. -- Prof. Eugene Spafford, Purdue University
QOTD on Questioning our Assumptions
One of the many pitfalls of information security is the illusion of permanence that surrounds many longstanding tools, policies and ways of doing business. Too often, the fact that 'it's always been done that way' clouds our judgment and blinds us to a system's holes. To avoid that mistake, it's time to learn how to second-guess yourself. -- Ed Moyle, manager with CTG's information security solutions practice
Src: Why It Pays to Second-Guess Your Technology Assumptions | TechNewsWorld
QOTD on Humans & Complexity
While technology and information have evolved and grown dramatically over the past 100 years, people's behaviors to cope with this growth have evolved at a much slower pace and our ability to keep up with the complexity foisted upon us is limited. So today, high value is found in taming the complexity so that humans can take full advantage of these dramatic developments and advancements in technology. This is the challenge facing IT organizations around the world. -- Art Coviello, President RSASrc: RSA Executives Offer Seven Guiding Principles To Maximize Megatrends Redefining the Information Security Industry | Reuters
QOTD on Managing your Career
If you're going to be the CEO of your own career, how do you want people to think of you? It's necessary to develop your own personal board of directors. You need to have a couple of people on there who know your marketplace and value what you're doing. -- Joyce Brocaglia, President and CEO of Alta AssociatesSrc: SC World Congress: Build a personal network - SC Magazine US
QOTD on Business Alignment
After years of “thinking differently”, business and IT leaders may be starting to think like each other.Src: 2010 Global State of Information Security Survey by PricewaterhouseCoopers
QOTD - Baker on Breaches
Many organizations right now have breaches they don't know about and won't discover for some time to come. -- Wade Baker, Research & Intelligence Principal at Verizon BusinessSrc: Cyberthieves find workplace networks are easy pickings | USATODAY.com
QOTD - Pescatore on Occurrences
Data loss is to information security as patient mortality is to medicine. 'Extremely rare' has to mean 'close to never' vs. 'not often.' -- John Pescatore, Vice President at Gartner Inc.Src: SANS NewsBites Vol 11 Num 80
QOTD - Rand on Cyberwar
Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities. Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought. -- RAND Corporation report "Cyberdetterance and Cyberwar"[Note: emphasis is mine]
Src: RAND report on Cyberdetterance and Cyberwar
QOTD - Rothke on Encryption vs Data Destruction
"Encryption is a fantastic way to assure the privacy of live data, but is not suitable for the protection of end-of-life data," says Ben Rothke, Senior Security Consultant with BT Professional Services & author of Computer Security: 20 Things Every Employee Should Know.
Ben goes on to explain that
Ben goes on to explain that
Encryption's weakness is that the keys used to secure the data may be compromised. Even if the 256-bit Advanced Encryption Standard (AES) is used, which is unbreakable using current technology; data can be compromised if the user chooses a weak passphrase to protect the data, or if the key was not properly destroyed.Src: Why Information Must Be Destroyed, Part Two | CSO Online
Some have suggested that encryption and then losing the keys is a method of destruction. But in speaking with those who have forensic labs, they note that there are ways of getting keys, as well as cracking keys on lesser levels of encryption. Given that, encryption should be used as a security mechanism, not as a destruction tool.
QOTD Ranum on Distributed Data
Distributed data is distributed vulnerability. Accessibility from everywhere means leakage everywhere. But, strangely, whenever one of us "old school" security practitioners says that, the rejoinder is "data compartmentalization is an impediment to doing business." Ultimately it will sink in - you either have impediments to doing business, or you have leaks. -- Marcus Ranum, CSO for Tenable Network SecuritySrc: SANS NewsBites Vol 11 Num 79
QOTD on the Next World War
The next world war could begin in cyberspace.Src: World War III Could Be Fought on Internet, Says ITU Head | PC World
...
In Cyberspace there is no such thing as a superpower: Every citizen is a superpower. -- Mr. Hamadoun Touré, Secretary General of the International Telecommunication Union (UN)
QOTD - Stiennon on Sun Tzu's Teachings
Sun Tsu’s teaching is clear. Security must rely on strong defenses even when no attacks are evident. -- Richard Stiennon, founder of IT-Harvest.Src: Sun Tzu on defense | ThreatChaos
Subscribe to:
Posts (Atom)