Opinion

Opinion

• Why nation-state cyberattacks must be top of mind for CISOs

  Even though organizations face threats coming from many sources, one type of cyberattack should be top of mind for CISOs: those backed by nation-states. Here's why.  Continue Reading

• Plan now for the future of network security

  How to battle well-funded, technologically sophisticated threats and ensure high-quality network performance? CISOs need a plan to meet network challenges now and in the future.  Continue Reading

• Bot management drives ethical data use, curbs image scraping

  Bot management tools can help enterprises combat bad bots, prevent web and image scraping, and ensure ethical data use -- all while maintaining a positive end-user experience.  Continue Reading

• The future of facial recognition after the Clearview AI data breach

  The company that controversially scrapes data from social media sites for law enforcement clients announced a data breach. What does it mean for the future of facial recognition?  Continue Reading

• 2 components of detection and threat intelligence platforms

  Deploying threat detection and intelligence platforms is one of the smartest ways to protect your organization's valuable assets. Make sure you know how to choose the best tool.  Continue Reading

• Fresh thinking on cybersecurity threats for 2020

  It's a good time to take a clear-eyed view of the likely security threats facing your organization. But then what? Experts suggest getting creative with your threat responses.  Continue Reading

• What's the answer for 5G security?

  Learn about the planning of 3GPP in developing specifications for 5G security in this synopsis of 5G Americas' white paper, 'The Evolution of Security in 5G.'  Continue Reading

• When cyberthreats are nebulous, how can you plan?

  Security planning is tough when you're short-staffed and hackers have smart tech too. You'll need solid skills and, most of all, a willingness to use your imagination.  Continue Reading

• CISOs, does your incident response plan cover all the bases?

  Security incidents, let's face it, are essentially inevitable. How do you cover the key bases -- education, inventory, and visibility -- in planning for incident response?  Continue Reading

• Securing IoT involves developers, manufacturers and end users alike

  Who's to blame for the IoT security problem: manufacturers creating devices, end user deploying them or governments not creating legislation enforcing security measures?  Continue Reading

• IoT botnets reach new threshold in Q2 of 2019

  Defending against the rising number and increasing sophistication of IoT botnet attacks isn't an easy task. Learn about the latest threats and the techniques to mitigate them.  Continue Reading

• Prevent ransomware attacks on cities in perimeterless networks

  City ransomware attacks are disruptive, annoying and potentially life-threatening. In increasingly mobile and perimeterless networks, how can municipalities prevent the risk?  Continue Reading

• The must-have skills for cybersecurity aren't what you think

  The most critical skills that cybersecurity lacks -- like leadership buy-in, people skills and the ability to communicate -- are not the ones you hear about. That needs to change.  Continue Reading

• Is your identity management up to the task?

  IAM is an organization's best defense for its weakest link, end users. Make sure you're following the right framework and keeping your tools honed and ready for battle.  Continue Reading

• Who's to blame for ransomware attacks -- beyond the attackers?

  Cyberattackers are to blame for ransomware attacks, but what about companies that release flawed software or don't install patches? Our expert looks at where the buck stops.  Continue Reading

• Putting cybersecurity for healthcare on solid footing

  CISO Kevin Charest talks security threats he sees in the healthcare field and the means his company is using to thwart them, including HCSC's Cyber Fusion Center.  Continue Reading

• 2019 RSA Conference bottom line: People are security's strongest asset

  People in the security community and beyond are more important and influential than the leading technologies if the talk at the 2019 RSA Conference is any indication.  Continue Reading

• What a proactive cybersecurity stance means in 2019

  Meeting cyberthreats head-on is no longer a choice but a necessity. Learn what dangers IT security teams may face in 2019 and why a proactive attitude is vital.  Continue Reading

• How paradigms shifting can alter the goals of attackers and defenders

  The use of disruptive technology is altering the way attackers and defenders set goals for network security. Learn more about the shifting field with Matt Pascucci.  Continue Reading

• Marcus Ranum: Systems administration is in the 'crosshairs'

  After years of spirited debates and top-notch interviews, columnist Marcus Ranum is signing (sounding?) off with some final thoughts on the future of security.  Continue Reading

• Ron Green: Keeping the payment ecosystem safe for Mastercard

  "We have invested a billion dollars over the last couple of years just in security," says Ron Green, Mastercard's chief of security, who joined the company in 2014.  Continue Reading

• The threat hunting process is missing the human element

  Threat hunting hinges on an analyst's ability to create hypotheses and to look for indicators of compromise in your network. Do you have the resources to hunt?  Continue Reading

• Why U.S. election security needs an immediate overhaul

  There's no evidence that threat actors have been able to manipulate or change vote counts in our elections, but Kevin McDonald says that doesn't mean it can't -- or won't -- happen.  Continue Reading

• Industries seek to improve third-party security risk controls

  Healthcare security leaders are developing industry best practices for better third-party risk management using common assessment and certification standards.  Continue Reading

• White hat Dave Kennedy on purple teaming, penetration testing

  Russia and other nation-states use application control bypass techniques because they don't "trigger any alarms," the chief hacking officer says.  Continue Reading

• Kurt Huhn discusses the role of CISO in the Ocean State

  A strategy focused on widespread training and education leads to progress against one of the state's biggest threats, says the Rhode Island CISO.  Continue Reading

• Why a unified local government security program is crucial

  When considering a local government cybersecurity program, companies must understand the dangers of not having one. Matt Pascucci explains why a program designed to monitor the public sector is crucial.  Continue Reading

• Tom Van Vleck on the Multics operating system, security decisions

  Time-sharing systems got a lot right from a security standpoint. "We aimed toward a completely lights-out, 'no chance for mistakes' interface," says the security researcher.  Continue Reading

• Fannie Mae CISO calls for more data on security incidents

  Chris Porter's years as a lead analyst and author of Verizon's Data Breach Investigations Report helped prepare him for the chief of security role at the primary housing lender.  Continue Reading

• Why third-party access to data may come at a price

  Google and other platform companies dangled not only APIs but access to user data from unwitting customers to attract third-party developers and other partners.  Continue Reading

• Q&A: Why data security controls are a hard problem to solve

  Feeling less friendly after Facebook? "There is a great deal of power in being able to combine data-sources," says Jay Jacobs, security data scientist.  Continue Reading

• Walmart's Jerry Geisler on the CISO position, retail challenges

  A global CISO in charge of one of the world's largest cybersecurity programs got his start on the retail floor. He's arrived just in time for the digital transformation.  Continue Reading

• Cybercrime study: Growing economic ecosystem spells trouble

  New research shows that cybercriminals are gaining momentum with connected infrastructure and collectively earning billions annually from a cybercrime economy. Now what?  Continue Reading

• Marcus Ranum decodes hardware vulnerabilities with Joe Grand

  Computer hardware designs with dangerous security flaws? That's no surprise to renowned hardware hacker Grand.  Continue Reading

• Healthcare CISO: 'Hygiene and patching take you a long way'

  Cybersecurity and healthcare can get along, according to CISO Joey Johnson, who leads the security program at Premise Health, but it takes patience and attention to the details.  Continue Reading

• Cost of data privacy breach may not be enough

  While the European Union is taking major steps to protect residents' data privacy, little has happened in the United States, even after Equifax and Facebook.  Continue Reading

• Fred Cohen on strategic security: 'Start with the assumptions'

  Cohen is a globally recognized expert in information protection and cybersecurity. Since coining the term 'computer virus,' he has remained a pioneer in information assurance.  Continue Reading

• Data protection compliance costs less than noncompliance

  Smaller companies -- with fewer than 5,000 employees -- in particular may be hit hard by GDPR requirements and other data compliance hurdles. A new report does the math.  Continue Reading

• Active Cyber Defense Certainty Act: Should we 'hack back'?

  With the proposal of the Active Cyber Defense Certainty Act, individuals would be able to 'hack back' when information is stolen. Matt Pascucci makes the case against the bill.  Continue Reading

• The tug of war between user behavior analysis and SIEM

  Information security technologies embrace user behavior analytics, and the trend is expected to continue. Should CISOs consider a standalone UBA component?  Continue Reading

• What's with cybersecurity education? We ask Blaine Burnham

  When he left the NSA, Burnham helped build the security education and research programs at the Georgia Institute of Technology and other universities. What did he learn?  Continue Reading

• From the White House to IBM Watson technology with Phyllis Schneck

  The managing director at Promontory Financial Group, now part of IBM, talks about supercomputers, cryptography applications and her start in computer science.  Continue Reading

• Are companies with a SOC team less likely to get breached?

  Information security operations centers are “growing up,” according to one study. But, with staffing shortages and manual collection of data, performance metrics are hard to get.  Continue Reading

• The chief information security officer role grows in stature

  No longer do CISOs hunt for a seat at the decision-maker's table. But with increased recognition of their vital role comes vast responsibilities and need for a big skill set.  Continue Reading

• Building a secure operating system with Roger R. Schell

  The 'father' of the Orange Book has first-hand knowledge of the standards required for classified computer systems and the issues with subversion.  Continue Reading

• No customer data leaks? Companies look down the rabbit hole

  When Yahoo finally disclosed a massive 2014 data breach to up to five hundred million affected account holders in September 2016, some already had legal representation.  Continue Reading

• From security product marketing to CEO: Jennifer Steffens

  The CEO of a global pen tester used to work for the New York Yankees. Find out how Jennifer Steffens went from sports marketing to head of a security service provider.  Continue Reading

• A damaging spring of internet worms and poor performance

  Security is a hot topic for media outlets that report on stock markets as companies founder on corporate earnings. The financial fallout of global malware is a call to action.  Continue Reading

• Interfacing with an information technology entrepreneur

  E. Kelly Fitzsimmons started with coconuts and then sold four companies. A serial entrepreneur discusses security and technology startups and why embracing failure works.  Continue Reading

• Security innovations need to catch up with technology trends

  When we asked CISOs and venture capitalists about disruptive technologies that could transform enterprise security models -- and how to prepare for them -- a few trends stood out.  Continue Reading

• Do thoughts of your least secure endpoint keep you up at night?

  Some days, 'secure endpoint' feels like an oxymoron, but that soon may change. From smart sandboxes to advanced behavior analytics, learn what's new in endpoint security technologies.  Continue Reading

• How intelligence data leaks caused collateral damage for infosec

  Alvaka Networks' Kevin McDonald looks at the real-world damage caused by data leaks at the CIA and NSA, which have put dangerous government cyberweapons in the hands of hackers  Continue Reading

• Wendy Nather: 'We're on a trajectory for profound change'

  This former CISO talks about her uncharted path from international banking to industry analysis. What's next for infosec? We ask the security strategist those questions and more.  Continue Reading

• Q&A: GDPR compliance with Microsoft CPO Brendon Lynch

  Failure to achieve compliance with the EU's General Data Protection Regulation in the next 12 months can trigger fines of up to 4% of a company's gross annual revenue.  Continue Reading

• CISO job requires proven track record in business and security

  In the security field, certifications and degrees are never a substitute for on-the-job experience. For women in security, the challenges may be even greater.  Continue Reading

• Start redrawing your identity and access management roadmap

  Securing enterprise systems and information requires an IAM roadmap that helps you identify effective policy, technology and tools.  Continue Reading

• Chenxi Wang discusses DEF CON hacking conference, 'Equal Respect'

  Grassroots efforts to shift cultural thinking in information security have had a positive effect, the former professor of computer engineering says.  Continue Reading

• Outsourcing security services rises as MSSPs focus on industries

  Despite increasing levels of specialization, managed security service providers often don't understand the business you're in. That may be changing.  Continue Reading

• The best SSO for enterprises must be cloud and mobile capable

  The best SSO today can handle the apps mobile workers use, identity as a service and more. Learn to make single sign-on, and other identity management approaches, more effective.  Continue Reading

• AI or not, machine learning in cybersecurity advances

  As more companies promote machine learning and artificial intelligence technologies, chief information security officers need to ask some tough questions to get past the hype.  Continue Reading

• Q&A: IBM's Diana Kelley got an early start in IT, security came later

  How did an editor become a security architect? A fascination with computers sparked a lifelong journey for IBM's executive security advisor.  Continue Reading

• Uncharted path to IT and compliance with Digital River's Dyann Bradbury

  Bradbury chats with Marcus J. Ranum about her early interest in computers and her unexpected career path to head of global compliance for an e-commerce provider.  Continue Reading

• CISO job description: Business function more than IT

  The executive-level security position is always up for debate. Is it a technical role, or is it moving out of the IT department to influence broader security and risk management initiatives?  Continue Reading

• CISO Q&A: Healthcare information security needs more leadership

  Anahi Santiago of Christiana Care Health System has spent much of her career in healthcare information security. "We are under attack," she says.  Continue Reading

• Q&A: Why information security data analysis is so complex

  Worried about bad statistics? Marcus Ranum asks the former lead analyst of the 'Verizon Data Breach Investigations Report' about storytelling with data.  Continue Reading

• Report: Lack of SSL traffic inspection poses threat to enterprises

  New research shows poor visibility into encrypted traffic increases the risk to enterprises as malicious actors take advantage of blind spots  Continue Reading

• Cyber attribution: Whodunit takes on new meaning in November

  Political hacking is a regular occurrence. Should we worry more about cybercrime attribution or the ability of unknown actors to influence public discourse?  Continue Reading

• Are security people born with unique talents? We ask Kevin Johnson

  The founder and CEO of Secure Ideas tells Marcus Ranum about his inner journey, from systems administrator at a friend's startup to ethical hacker for hire.  Continue Reading

• Global report: Cybersecurity skills shortage threatens security

  The shortage in the security skills pipeline is creating vulnerabilities worldwide, according to one report. Executives say "gaming" can help companies develop a better workforce.  Continue Reading

• Cybersecurity risk profiles: Are FICO-like scores a good idea?

  Metrics are the CISO's reporting mechanism. Security ratings services may offer a way to continuously monitor changes in vendors and business partners' security postures.  Continue Reading

• DevSecOps: Security leaves the silos (and badges) behind

  Delays, "no" and "redo that work" causes many developers to avoid IT security. With DevOps, proponents aim to make security at scale everybody's problem.  Continue Reading

• Mobile risk management falls short in Global 2000

  The majority of companies lack mobile policies around access and storage of corporate data, according to one study. Is your organization one of them?  Continue Reading

• Network security infrastructure isn't only for hackers

  Rapidly changing environments, from sprawl to consolidation, increase the challenges of network risk analysis, proper segmentation, and policy and change management.  Continue Reading

• Branching out with pen tester: Jayson E. Street

  The renowned hacker dishes on his early beginnings, paranoid tendencies and welcome progression from physical security to penetration testing of financial services.  Continue Reading

• Status quo: Data compromise holds steady in 2016

  Data breaches can point to issues with security tools and their implementation. Some companies that are putting personally identifiable information at risk may surprise you.  Continue Reading

• Q&A: Rethink compensating controls, says Warner Bros. CISO

  It is not hard to make the shift from independent controls for defense in depth to interlocking strategies, Ron Dilley tells Marcus Ranum, but careful planning is required.  Continue Reading

• Security incident handling: Prepare to find answers

  CISOs work in stressful scenarios. Before you face executives armed with questions about security incident handling, it's time to formulate some of your own.  Continue Reading

• Threat defense, hybrid clouds and 'connections others miss'

  We often talk about shifts in information security from advanced threats to emerging technology defenses, but this year marks a few major turning points.  Continue Reading

• The futility of data breach notifications

  Olivia Eckerson discusses how her healthcare insurance provider was hacked, and why the data breach notification letter she received was less than helpful.  Continue Reading

• WMI tools make the perfect crime 'malware-free'

  Security researchers claim that attackers are abusing a longstanding administrative tool in the Windows operating system. With no telltale signs of malware, how can you stop it?  Continue Reading

• Ranum Q&A: The data behind cyberfraud with Anyck Turgeon

  Do we really have a good idea of how big a problem insider attacks are? A global data scientist, who is focused on fraud and money laundering, ponders the numbers.  Continue Reading

• Integrated IT security tools may hit the 'suite' spot

  Compilations of security tools and services make it hard for enterprises to figure out what some products offer, but efforts to avoid overlap can pay off.  Continue Reading

• Security startups tackle the art of deception techniques

  Distributed decoy systems aim to take deception by defenders to the next level. Will a network of traps and lies change the rules of engagement?  Continue Reading

• Q&A: Secure application development in the age of mashups

  How do you integrate the needs of the business and third-party services with security? Veracode’s Chief Strategy Officer Sam King has some answers.  Continue Reading

• The search for answers to ‘advanced threat’ defense

  Visibility into what is happening on your network may matter more than stopping an attack. Can technology keep up with advanced threats?  Continue Reading

• Can white-box cryptography save your apps?

  With the Internet of Things, software-based secure elements could hold the key.  Continue Reading

• Marcus Ranum Q&A: Aetna CSO Jim Routh on Agile security testing and challenges

  Why the health insurer pursues early prevention and detection strategies as part of its software security program.  Continue Reading

• The CISO role's evolution from IT security to policy wonk

  As the need for a dedicated information security officer catches fire beyond firewalls, how should companies engineer the expanding CISO role?  Continue Reading

• McGraw: Seven myths of software security best practices

  According to expert Gary McGraw, you're not helping yourself by believing the things -- all seven of them -- you've heard about secure software development.  Continue Reading

• Formal verification is the oldest new game in town

  Security gamification puts formal verification back in play.  Continue Reading

• Marcus Ranum chats with CGI Group's Terri Curran

  Information security metrics may be lost on some executives, Curran says. Keep their attention on security measures with the right portfolio.  Continue Reading

• Gary McGraw discusses the security risks of dynamic code

  Gary McGraw says secure software development gets tricky when your programming environment shifts like sand.  Continue Reading

• Sourcing threat intelligence services? Buy them by the box

  Security pros are too stretched to digest actionable intelligence on a continuous basis. Dedicated appliances may help ease their load.  Continue Reading

• Becoming jaded with Security BSides' Jack Daniel

  The financial success of the security industry has created "breach" ambulance-chasers. Can grassroots efforts still move InfoSec forward?  Continue Reading

• Cybersecurity skills shortage? Hackers wanted

  The problem-solving skills that many enterprises need to counter threats are hard to identity, let alone multiply.  Continue Reading

• Block chain startups signal new approaches to data integrity

  Bitcoin 2.0 is fueling technology development and services. The block chain mechanisms that secure the Bitcoin network hold real promise for security.  Continue Reading

• Software security assurance: Marcus Ranum chats with Oracle's CSO

  After decades in the hot seat, Oracle's CSO Mary Ann Davidson is still fighting systemic risk and the vulnerabilities of enterprise software.  Continue Reading

• Catfish, super users and USB drives: We do the math

  The data science that reprogrammed Wall St. trading models may offer lessons for security.  Continue Reading

• Waratek grabs RSA Innovation Sandbox honors

  Runtime application self-protection startup Waratek wins coveted RSA Innovation award.  Continue Reading

• Machine versus the bots: Does your website pass the Turing 2.0 test?

  New Web security models use browser behavior and polymorphism to protect against data theft and fraud.  Continue Reading