The three questions all CISOs should be prepared to answer (Part Three)

In the first two parts of this series, we addressed the questions "Are we secure?" and "Are we compliant?" In this final section we will address the question, "Are we ready?"

Are we ready?

Ready for what? For an incident of course! As I already mentioned in the first part of this series, if some of the world's largest corporations, security vendors, and intelligence agencies have suffered security breaches, the probability that your security program will be the exception is very low. So while you should do everything that is reasonable and prudent to prevent an incident, you should also ensure that you have appropriate processes in place to deal with an incident when, not if, the inevitable occurs.

Read More
By Michael Lines on Jan 30, 2017 12:00:00 AM

The three questions all CISOs should be prepared to answer (Part Two)

In part one of this series, we discussed the first of the three questions all CISOs should be prepared to respond to when discussing security with their board or company leadership, "Are we secure?" In this article we will discuss the second question:

Are we compliant?
Compliant to what you might ask? Well to start, compliant to your own information security policies! The information security program you have put in place to address the question, "Are we secure?", should be articulated in a formal policy document for your company. That policy should specify what controls and measures must be in place across the company in order to protect your company's and client's information.

Read More
By Michael Lines on Jan 23, 2017 2:20:30 PM

The three questions all CISOs should be prepared to answer (Part One)

I love being a Chief Information Security Officer (CISO). No other job that I know of provides the challenges that come from balancing an ever changing mix of legal, regulatory, technology, and business needs, with geopolitics and international threats mixed in as well. However, when it comes to presenting what you do and how well you are doing to the senior leaders of your company, the job ultimately boils down to answering three questions, the first of which is:

Read More
By Michael Lines on Jan 16, 2017 4:46:00 PM

Information Security 2016, Highlights and Trends

"Prediction is very difficult, especially if it's about the future."
Nils Bohr, Nobel laureate in Physics

In looking back over all that has happened regarding information security in the past year, I'm reminded of a book I read my children when they were growing up, "Alexander and the Terrible, Horrible, No Good, Very Bad Day" by Judith Viorst. This year has been like that - going from bad (data breaches ranging from Yahoo, to Verizon to the IRS), to worse (with many major websites being taken offline with the DDOS attack on DYN). Unlike with Alexander, I'm afraid our day is not going to end well after all the calamities we have suffered.

Read More
By Michael Lines on Dec 15, 2016 1:05:35 PM

The Lessons of Fukushima Daiichi for Cybersecurity

"We were not able to prevent the accident from happening because we stopped thinking," said Yuichi Okamura, a Tepco company spokesman. 

"We were not able to think beyond a certain point, such as that a tsunami might be higher and what would happen to the plant if that scenario did occur. We didn't think what would happen if the safety equipment did not function as it was meant to."

The Telegraph article on the Fukushima disaster, March 2016

Read More
By Michael Lines on Dec 2, 2016 4:19:53 PM

The normalcy bias and its impact on security

"The fault, dear Brutus, is not in our stars, but in ourselves..."
Shakespeare, Julius Caesar

From Wikipedia: "The normalcy bias, or normality bias, is a mental state people enter when facing a disaster. It causes people to underestimate both the possibility of a disaster and its possible effects. This may result in situations where people fail to adequately prepare and, on a larger scale, the failure of governments to include the populace in its disaster preparations.

Read More
By Michael Lines on Nov 3, 2016 3:47:35 PM

Can you hear me now? Cybersecurity in the boardroom...

In 2015, The United States Senate introduced the Cybersecurity Disclosure Act of 2015, the goal of which being to “promote transparency in the oversight of cybersecurity risks at publicly traded companies.”

Two crucial revelations to come out of the bill are as follows:

(1) to disclose whether any member of the governing body, such as the board of directors or general partner, of the reporting company has expertise or experience in cybersecurity and in such detail as necessary to fully describe the nature of the expertise or experience; and

(2) if no member of the governing body of the reporting company has expertise or experience in cybersecurity, to describe what other cybersecurity steps taken by the reporting company were taken into account by such persons responsible for identifying and evaluating nominees for any member of the governing body, such as a nominating committee."

Proposed US Senate Bill, Cybersecurity Disclosure Act of 2015

Read More
By Michael Lines on Oct 7, 2016 9:00:00 AM