Our Thinking

Post-RSA Conference 2017 Q&A with Dan Lapierre

Posted by Dan Lapierre on Feb 23, 2017 4:44:03 PM

Last week a record number of more than 43,000 participants attended the RSA Conference 2017. Many Onliners attended the event, including Dan Lapierre from our Risk, Security, and Privacy practice. We had a chance to sit down with Dan this week to get his thoughts on the conference.

Read More

Topics: Security

Protecting the empire goes beyond securing the castle walls: Understanding the importance of audit controls

Posted by Adam Kehler on Feb 14, 2017 5:08:03 PM

Is your information security program stuck in the middle ages? Are you still just protecting the castle walls or have you taken a step forward into the modern times where you must assume your outer perimeter will be breached.

Healthcare organizations are notorious for applying minimal security measures, which generally consist of firewall and anti-virus precautions to prevent attackers from penetrating their systems. This is an antiquated method that simply doesn't work. You need to think more strategically and prepare your organization for impending attacks by assuming that your defenses will be breached. In fact, 56% of organizations say it is unlikely or highly unlikely that they would be able to detect a sophisticated attack. On top of that, it takes an average of over 200 days for an organization to simply detect an attack of any severity. Those are some scary stats to consider when people’s personal information is at stake.

Read More

Topics: Security

Cyber Risk is no board game – you need to know when to accept, mitigate, or transfer risk to a 3rd party

Posted by Steve Levinson on Feb 9, 2017 3:57:45 PM

The risk landscape continues to evolve with each and every passing day. Yesterday’s secure platform has now become today’s weakest link. Every moment, your organization faces some degree of security risk. The boardroom is ultimately responsible for having an inherent understanding of the various risks to the organization, and therefore is challenged with determining the ideal strategies to address the risk. Once a threat or vulnerability becomes publicly known*, the fuse is lit; and business leaders need to be prepared to make prudent decisions to protect their organizations.

Read More

Topics: Security

The Future of A.I. - According to KDD 2016

Posted by Justin Mei on Feb 7, 2017 4:07:57 PM

The term A.I. is nothing new, it’s been used in movies and science fiction for decades. In the real world A.I. has been used to some degree for decades as well, but it has really only started to gain serious momentum in the last decade or so.

A.I. is part of an interdisciplinary field known as data science - and while there are many different definitions of data science, they all include some combination of the following areas of expertise: artificial intelligence, statistics, and domain knowledge. These skills are used to find valuable information out of vast amounts of data.

Read More

Topics: Digital Transformation

I failed my PCI assessment - now what?

Posted by Shawn Lukaschuk on Feb 1, 2017 4:19:14 PM

Are you a Service Provider or a Merchant?

This is an important question because merchants and service providers are accountable to different entities for their PCI DSS compliance. These entities are the people that will need to know about your (temporarily!) failed status and they will want regular communications from you starting now until you successfully complete your compliance assessment.

Read More

Topics: Security

The three questions all CISOs should be prepared to answer (Part Three)

Posted by Michael Lines on Jan 30, 2017 12:00:00 AM

In the first two parts of this series, we addressed the questions "Are we secure?" and "Are we compliant?" In this final section we will address the question, "Are we ready?"

Are we ready?

Ready for what? For an incident of course! As I already mentioned in the first part of this series, if some of the world's largest corporations, security vendors, and intelligence agencies have suffered security breaches, the probability that your security program will be the exception is very low. So while you should do everything that is reasonable and prudent to prevent an incident, you should also ensure that you have appropriate processes in place to deal with an incident when, not if, the inevitable occurs.

Read More

Topics: Security

The three questions all CISOs should be prepared to answer (Part Two)

Posted by Michael Lines on Jan 23, 2017 2:20:30 PM

In part one of this series, we discussed the first of the three questions all CISOs should be prepared to respond to when discussing security with their board or company leadership, "Are we secure?" In this article we will discuss the second question:

Are we compliant?
Compliant to what you might ask? Well to start, compliant to your own information security policies! The information security program you have put in place to address the question, "Are we secure?", should be articulated in a formal policy document for your company. That policy should specify what controls and measures must be in place across the company in order to protect your company's and client's information.

Read More

Topics: Security

The three questions all CISOs should be prepared to answer (Part One)

Posted by Michael Lines on Jan 16, 2017 4:46:00 PM

I love being a Chief Information Security Officer (CISO). No other job that I know of provides the challenges that come from balancing an ever changing mix of legal, regulatory, technology, and business needs, with geopolitics and international threats mixed in as well. However, when it comes to presenting what you do and how well you are doing to the senior leaders of your company, the job ultimately boils down to answering three questions, the first of which is:

Read More

Topics: Security

If Patching Vulnerabilities Were so Easy Everyone Would Do It

Posted by Jerry Holcombe on Jan 11, 2017 10:42:25 AM

Patching – one of the surefire ways to help your organization mitigate the risk of being compromised due to software defects or security weaknesses. As security professionals, we’ve seen the gambit when it comes to patching, on one end of the spectrum there are organizations where half or more of their servers haven’t been patched in years and on the other end there are those where they validate build specs and spin up new servers multiple times a day.

Read More

Topics: Security

The Ostrich Effect - Part Two: How Do You Fix the Problem?

Posted by Jon Fraser on Jan 9, 2017 2:39:26 PM

In my last blog (which you can read here), I discussed the hacking of Casino Rama and how this may have been caused by something called the Ostrich Effect. To review, the Ostrich Effect occurs when an organization knows they have a security risk but is unable to remediate the threat, often due to the cost and effort required for remediation.

Read More

Topics: Security, Service Management

Our Thinking - The Online Blog is a source for insights, resources, best practices, and other useful content from our multi-disciplinary team of Onliners.

Subscribe to Blog Updates