Well, another one: CIO or C-Suite: To Whom Should the CISO Report?
At least the security community seems to agree…
The Role Change of the CSO
I am in this business for almost two decades, which is frightening by itself. On the other hand, it is absolutely fascinating, how the security industry and especially the role of the CSO changed. I do not want to go into long stories of security itself but look at it: Initially it was all about…
4 Biggest Mistakes in Security?
Actually the article I was looking at was called: The 4 Biggest Mistakes Businesses Make Trying To Secure Endpoints. However, a major part – in my opinion – is not only true for the endpoint but for security in companies as such: Underestimating Human Error: Well it starts with the administrator who is taking wrong…
Top 15 Security Predictions for 2016
No, they are still not coming from me but this article is actually really interesting: Top 15 security predictions for 2016. A few of them are remarkable: At your criminal service (Kaspersky/Seculert) The profitability of cyber-attacks means sophisticated criminal gangs with modern organizational models and tools will replace common cyber criminals as the primary threat.…
Outsourcing IT Security : A Recipe for Success or Disaster?
Good question but looking at the resources companies can (and want to) invest in security, most probably a recipe for success
Gartner: APT Attacks Will Seek Smaller Targets
As criminals get access to better technology and as the underground markets get more active, it is not surprising that targeted attacks become more mainstream. This is something we have seen over the last 6-8 months as well as extortion threats grew in parallel. There is another trend I see talking to other organizations: Midsize…
Security Metrics – a Failure?
Measuring security is a problem – and not something new. When I look at what we did at Swisscom, we are severely challenged in this area. A lot of companies measure things like incidents etc., metrics which are a complete failure in my opinion. Let’s look at the incident metric for a second. You could…
Writing Security Policies
I am a fan of simple and easy to read policies. I do not think that policies consisting of several thousand documents to any good nor will they be followed.
In this context I found a noteworthy blog post: 5 Tips on Writing Security Policies
Roger
Using the Cloud to solve business problems in today’s world
I often get asked by customers how I see the cloud in today’s environment. Honestly, I do not see it differently than I did an year ago. If I look at security in general, I see three challenges, which shape my mind: Most investments go towards protecting the infrastructure, whereas most attacks are successful on…
Targeted Attacks – a Video Series
Trustworthy Computing in partnership with Microsoft IT, Microsoft Consulting and the product groups just released a series of videos on targeted attacked and how to defend.
I would definitely urge you to listen to them and make sure you implement the countermeasures: Targeted Attacks Video Series
Roger
Will the user define security policies in the future?
I think, I blogged about this event already earlier: Years ago I was meeting a customer and was talking about the future of IT. I was telling the audience (about 10 people including the Security Officer) that there is a good chance that IT will not define a set of hardware anymore but that the…
How much security do you need?
Most companies have a lot of security policies to protect their assets and then there is the best of breed security technology added for each technical problem to solve. That way we can ensure that we did everything we could to protect the business – right? Well I do not completely think. I read this…
Security in 2013 – the way forward?
Typically January is the month where we are asked to make predictions on the trends for the New Year. I do not like this as I am an engineer and not a fortune tellerJ. But there are things we know and things we definitely need to drive this year. I would actually put it into…
Mitigating Pass the Hash Attacks
In the recent months, we have seen more and more targeted attacks towards our customers. A lot of them use a technique called Pass the Hash. This made us publishing a paper, which explains Pass the Hash but much more important shows some fairly simple to implement mitigations against this type of attack. As they…
Security Lessons from Star Wars
Exactly the right article for a weekend: May the (En)Force(ment) Be With You – Security Lessons from Star Wars From applying security policies to DLP and effective user authentication, there are many infosecurity lessons to be learned from the classic space opera. Terry Greer-King of Check Point shows how companies can avoid the Empire’s mistakes…
Security Advisory – Update For Minimum Certificate Key Length
As you know, I rarely blog about Security Advisories or updates but this time, I want to make sure that you saw that: We released the Microsoft Security Advisory (2661254) – Update For Minimum Certificate Key Length to make you aware of the fact that we will restrict usage of all certificates with RSA keys…
Consumerization of IT–How to address this
Bring Your Own Device or Consumerization of IT are fairly hot themes in a lot of customer organizations. When I talk to customers, there are typically different reactions, once we bring this up. Some tell us, that it is not part of their strategy; some tell us that they plan to do it but that…
Security of Car Software
We have seen some of the attacks recently, where people started to attack either the locks or the technology/software in the car itself controlling the chassis etc. On DarkReading I was just reading this article: Car Systems Reminiscent of Early PCs One of the things I do not get with cars is the way they…
Cloud Security in Office365
You heard about the launch of Office365 recently and I hope you read the blog post on the application of the Cloud Computing Security Considerations to the private. cloud. If not, here it is: Security Considerations in a Private Cloud To complete the series now, we released an additional paper on how these considerations can…
Security Considerations in a Private Cloud
I am talking a lot about Cloud Security. There are a few observations I made: Even though a lot of people are talking about the Cloud, there is still not too much knowledge about it. What is a private Cloud versus a public Cloud? What is Infrastructure as a Service, Platform as a Service, Application…