Our Thinking

Michael Lines

Recent Posts

The three questions all CISOs should be prepared to answer (Part Three)

Posted by Michael Lines on Jan 30, 2017 12:00:00 AM

In the first two parts of this series, we addressed the questions "Are we secure?" and "Are we compliant?" In this final section we will address the question, "Are we ready?"

Are we ready?

Ready for what? For an incident of course! As I already mentioned in the first part of this series, if some of the world's largest corporations, security vendors, and intelligence agencies have suffered security breaches, the probability that your security program will be the exception is very low. So while you should do everything that is reasonable and prudent to prevent an incident, you should also ensure that you have appropriate processes in place to deal with an incident when, not if, the inevitable occurs.

Read More

Topics: Security

The three questions all CISOs should be prepared to answer (Part Two)

Posted by Michael Lines on Jan 23, 2017 2:20:30 PM

In part one of this series, we discussed the first of the three questions all CISOs should be prepared to respond to when discussing security with their board or company leadership, "Are we secure?" In this article we will discuss the second question:

Are we compliant?
Compliant to what you might ask? Well to start, compliant to your own information security policies! The information security program you have put in place to address the question, "Are we secure?", should be articulated in a formal policy document for your company. That policy should specify what controls and measures must be in place across the company in order to protect your company's and client's information.

Read More

Topics: Security

The three questions all CISOs should be prepared to answer (Part One)

Posted by Michael Lines on Jan 16, 2017 4:46:00 PM

I love being a Chief Information Security Officer (CISO). No other job that I know of provides the challenges that come from balancing an ever changing mix of legal, regulatory, technology, and business needs, with geopolitics and international threats mixed in as well. However, when it comes to presenting what you do and how well you are doing to the senior leaders of your company, the job ultimately boils down to answering three questions, the first of which is:

Read More

Topics: Security

Information Security 2016, Highlights and Trends

Posted by Michael Lines on Dec 15, 2016 1:05:35 PM

"Prediction is very difficult, especially if it's about the future."
Nils Bohr, Nobel laureate in Physics

In looking back over all that has happened regarding information security in the past year, I'm reminded of a book I read my children when they were growing up, "Alexander and the Terrible, Horrible, No Good, Very Bad Day" by Judith Viorst. This year has been like that - going from bad (data breaches ranging from Yahoo, to Verizon to the IRS), to worse (with many major websites being taken offline with the DDOS attack on DYN). Unlike with Alexander, I'm afraid our day is not going to end well after all the calamities we have suffered.

Read More

Topics: Security

The Lessons of Fukushima Daiichi for Cybersecurity

Posted by Michael Lines on Dec 2, 2016 4:19:53 PM

"We were not able to prevent the accident from happening because we stopped thinking," said Yuichi Okamura, a Tepco company spokesman. 

"We were not able to think beyond a certain point, such as that a tsunami might be higher and what would happen to the plant if that scenario did occur. We didn't think what would happen if the safety equipment did not function as it was meant to."

The Telegraph article on the Fukushima disaster, March 2016

Read More

Topics: Security

The normalcy bias and its impact on security

Posted by Michael Lines on Nov 3, 2016 3:47:35 PM

"The fault, dear Brutus, is not in our stars, but in ourselves..."
Shakespeare, Julius Caesar

From Wikipedia: "The normalcy bias, or normality bias, is a mental state people enter when facing a disaster. It causes people to underestimate both the possibility of a disaster and its possible effects. This may result in situations where people fail to adequately prepare and, on a larger scale, the failure of governments to include the populace in its disaster preparations.

Read More

Topics: Security

Can you hear me now? Cybersecurity in the boardroom...

Posted by Michael Lines on Oct 7, 2016 9:00:00 AM

In 2015, The United States Senate introduced the Cybersecurity Disclosure Act of 2015, the goal of which being to “promote transparency in the oversight of cybersecurity risks at publicly traded companies.”

Two crucial revelations to come out of the bill are as follows:

(1) to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and

(2) if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee."

Proposed US Senate Bill, Cybersecurity Disclosure Act of 2015

Read More

Topics: Security

I've Been Pwned! Now What?

Posted by Michael Lines on Sep 20, 2016 9:30:00 AM

 

In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site four years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

Read More

Topics: Security

What is "Reasonable" Security?

Posted by Michael Lines on Sep 8, 2016 9:55:41 AM

 

"If organizations choose to amass data, and then fail to uphold their responsibilities as data stewards, they are also culpable."

California Attorney General 2016 Data Breach Report

Read More

Topics: Security

Our Thinking - The Online Blog is a source for insights, resources, best practices, and other useful content from our multi-disciplinary team of Onliners.

Subscribe to Blog Updates

Recent Posts

Posts by Author

see all