QOTD on CIO Skills

CIOs need to inculcate a blend of three skills - conceptual, technical and human skills, but most importantly the human skill, as they are the bridge between the top-level and the low-level management. -- Dr. Nityesh Bhatt, Associate Professor, Nirma Institute of Management
Src: CIOs need to champion human skills | CIOL News Reports

QOTD on Being Secure

You don't want to be the most secure place on earth-you want to be secure enough to make others a more attractive target (hackers are smart and lazy, too-they strive for the easy prey in most cases), and you want to be in business. Otherwise your security model stinks. -- Michael Oberlaender
Src: The Magic Triangle of IT Security | ComputerWorld

QOTD on Biometrics

The reality is that biometrics are a feel-good measure designed to give people the false impression that they are more secure than they were before, when in fact they are more at risk. Identity theft victims report that it can take three, five or more years to clean up the financial mess left after a stolen Social Security number. How long will it take to clean up a stolen fingerprint? -- George Tillmann, a former CIO, management consultant and the author of The Business-Oriented CIO
Src: The case against biometric identity theft protection | IDG.no

QOTD Schmidt on the Value of Data

Many businesses, governments and individuals are still unclear of the true value of data and where it resides and who has ownership is even less clear. We need to be better at controlling and managing data and understand the expectations of the data owners and providers. For example, if we give personal data to identify and validate ourselves – this data is only required for a short period of time and could then be destroyed. -- Professor Howard A. Schmidt, CISSP, president of ISF.
Src: RSA Europe: Information Security and data value should be part of education and training | Infosecurity (UK)

QOTD on Banking Fraud

We don't need to know who's doing it, just what it looks like at an earlier phase, so we can alert our institutions and prepare them on what to look for. -- Doug Johnson, Senior Policy Analyst at the American Bankers Association.
Src: Online Fraud: New Victims, New Approaches | BankInfoSecurity.com

QOTD on CIO as CSO+CPO

No one could credibly deny that IT has a significant responsibility for security and privacy, but care should be taken to distinguish enablement from execution. The fact is, IT alone cannot solve the problem. -- Ted DeZabala, author & national leader of the Security & Privacy Services practice at Deloitte & Touche LLP.
The CIO as Chief Security/Privacy Officer | CIOInsight.com

QOTD on e-Spying

Modern-day espionage doesn't involve cloak and dagger anymore. It's all electronic. -- Tom Kellermann, Vice President at Core Security Technologies
Src: China Expands Cyberspying in U.S., Report Says | WSJ.com

QOTD - Schmidt on Current Laws

We still have 18th century laws looking at 21st century technologies – that needs to be changed. -- Howard Schmidt, ISF President & CEO.
Src: RSA Europe: Two-factor authentication is worth nothing, says executive director, EEMA | Infosecurity (UK)

QOTD - Spafford on the security conundrum

No individual business is facing huge losses necessarily, but collectively we are facing just unimaginable losses, but nobody is willing to pay the cost up front for what is necessary to solve the problem in the longer term.

The problem is that we generally only respond to crisis. And the kinds of problems that we are seeing in the whole information security arena is not a spot crisis; it is a growing community problem. So when we are talking tens of billions of dollars of loss every year in intellectual property theft, fraud, unnecessary or over-expenditure on security goods and services, and various other kinds of problems, that cost is not borne by any single entity, but it is borne by everyone. This results in a huge friction on the economy. It is definitely a loss to society. But no one feels it enough that they are willing to make the investment and the sacrifices to move forward. The government might play a role in this, and one way would be to phase in some liability on operators and vendors for obviously making poor choices. -- Prof. Eugene Spafford, Purdue University
Src: The State of Information Assurance Education 2009: Prof. Eugene Spafford, Pursue University

QOTD on Questioning our Assumptions

One of the many pitfalls of information security is the illusion of permanence that surrounds many longstanding tools, policies and ways of doing business. Too often, the fact that 'it's always been done that way' clouds our judgment and blinds us to a system's holes. To avoid that mistake, it's time to learn how to second-guess yourself. -- Ed Moyle, manager with CTG's information security solutions practice

Src: Why It Pays to Second-Guess Your Technology Assumptions | TechNewsWorld

QOTD on Humans & Complexity

While technology and information have evolved and grown dramatically over the past 100 years, people's behaviors to cope with this growth have evolved at a much slower pace and our ability to keep up with the complexity foisted upon us is limited. So today, high value is found in taming the complexity so that humans can take full advantage of these dramatic developments and advancements in technology. This is the challenge facing IT organizations around the world. -- Art Coviello, President RSA
Src: RSA Executives Offer Seven Guiding Principles To Maximize Megatrends Redefining the Information Security Industry | Reuters

QOTD on Managing your Career

If you're going to be the CEO of your own career, how do you want people to think of you? It's necessary to develop your own personal board of directors. You need to have a couple of people on there who know your marketplace and value what you're doing. -- Joyce Brocaglia, President and CEO of Alta Associates
Src: SC World Congress: Build a personal network - SC Magazine US

QOTD on Business Alignment

After years of “thinking differently”, business and IT leaders may be starting to think like each other.
Src: 2010 Global State of Information Security Survey by PricewaterhouseCoopers

QOTD - Baker on Breaches

Many organizations right now have breaches they don't know about and won't discover for some time to come. -- Wade Baker, Research & Intelligence Principal at Verizon Business
Src: Cyberthieves find workplace networks are easy pickings | USATODAY.com

QOTD - Pescatore on Occurrences

Data loss is to information security as patient mortality is to medicine. 'Extremely rare' has to mean 'close to never' vs. 'not often.' -- John Pescatore, Vice President at Gartner Inc.
Src: SANS NewsBites Vol 11 Num 80

QOTD - Rand on Cyberwar

Cyberspace is its own medium with its own rules. Cyberattacks, for instance, are enabled not through the generation of force but by the exploitation of the enemy’s vulnerabilities. Permanent effects are hard to produce. The medium is fraught with ambiguities about who attacked and why, about what they achieved and whether they can do so again. Something that works today may not work tomorrow (indeed, precisely because it did work today). Thus, deterrence and warfighting tenets established in other media do not necessarily translate reliably into cyberspace. Such tenets must be rethought. -- RAND Corporation report "Cyberdetterance and Cyberwar"
[Note: emphasis is mine]
Src: RAND report on Cyberdetterance and Cyberwar

QOTD - Rothke on Encryption vs Data Destruction

"Encryption is a fantastic way to assure the privacy of live data, but is not suitable for the protection of end-of-life data," says Ben Rothke, Senior Security Consultant with BT Professional Services & author of Computer Security: 20 Things Every Employee Should Know.

Ben goes on to explain that
Encryption's weakness is that the keys used to secure the data may be compromised. Even if the 256-bit Advanced Encryption Standard (AES) is used, which is unbreakable using current technology; data can be compromised if the user chooses a weak passphrase to protect the data, or if the key was not properly destroyed.

Some have suggested that encryption and then losing the keys is a method of destruction. But in speaking with those who have forensic labs, they note that there are ways of getting keys, as well as cracking keys on lesser levels of encryption. Given that, encryption should be used as a security mechanism, not as a destruction tool.
Src: Why Information Must Be Destroyed, Part Two | CSO Online

QOTD Ranum on Distributed Data

Distributed data is distributed vulnerability. Accessibility from everywhere means leakage everywhere. But, strangely, whenever one of us "old school" security practitioners says that, the rejoinder is "data compartmentalization is an impediment to doing business." Ultimately it will sink in - you either have impediments to doing business, or you have leaks. -- Marcus Ranum, CSO for Tenable Network Security
Src: SANS NewsBites Vol 11 Num 79

QOTD on the Next World War

The next world war could begin in cyberspace.
...
In Cyberspace there is no such thing as a superpower: Every citizen is a superpower. -- Mr. Hamadoun Touré, Secretary General of the International Telecommunication Union (UN)
Src: World War III Could Be Fought on Internet, Says ITU Head | PC World

QOTD - Stiennon on Sun Tzu's Teachings

Sun Tsu’s teaching is clear. Security must rely on strong defenses even when no attacks are evident. -- Richard Stiennon, founder of IT-Harvest.
Src: Sun Tzu on defense | ThreatChaos