An observation from the global financial crisis is that organisations with a weak risk culture can experience extensive or even catastrophic damage. Significant investment in risk management people, processes and technology is only part of a sound business risk environment. The key component is the risk culture.
David Roche | 28 Feb | Read more
As mobilisation and bring-your-own-device (BYOD) becomes increasingly prevalent, business security has been propelled to the forefront of corporate strategy.
Gordon Makryllos | 10 Feb | Read more
Security Operations, as a capability, was discussed in the first article of this series: Security Operations the Final Frontier. This was a response to media coverage of a other operations in which information was compromised and data assets were stolen - Operation Shady RAT, Operation Aurora and Operation Night Dragon.
Puneet Kukreja | 20 Dec | Read more
"It will take a massive incident for our company to wake up to itself!" How often do you hear that in the information security industry? All the time -- so what generally happens when things go horribly wrong after the "incident" occurs?
Drazen Drazic | 12 Dec | Read more
Phreaking is a term not often used these days. It was introduced to describe the technique of simulating telephone tones to fool a phone system into giving you free calls.
Skeeve Stevens | 08 Nov | Read more
Our coverage of the annual Global Information Security Survey conducted by CSO and CIO magazines in partnership with PwC has sparked some interesting discussions about <a href="http://www.csoonline.com/article/690854/are-you-an-it-security-%20leader-really-">what it takes to be a security leader</a>. Specifically, the discussion is about how organizations can move <a href="http://www.csoonline.com/article/691069/laggard-to-leader-what-it-takes-to-get-there">from being a security laggard to something better</a>. As part of those discussions, we spoke with Andy Ellis, chief security officer at Akamai Technologies. Ellis is responsible for overseeing the security architecture and compliance of the company's globally distributed network and sets the strategic direction of its security.
George V. Hulme | 02 Nov | Read more
The need to manage risk will result in organisations adopting hybrid clouds as the preferred cloud delivery model, according to Dean Kingsley, who heads the technology risk practice within the Enterprise Risk Services division at Deloitte in Sydney.
Stilgherrian | 26 Oct | Read more
<a href="http://www.networkworld.com/news/2010/010810-heartland-to-pay-up-to.html">Heartland Payment Systems</a> figured it was in pretty good shape when it took out a $30 million cyber insurance policy. Unfortunately, the credit card transaction processor was the victim of a massive data breach in early 2009 that resulted in losses estimated at $145 million. The insurance company did pay Heartland the $30 million, but the company was on the hook for the remaining $115 million.
Lamont Wood | 24 Oct | Read more
Even in the face of costly and embarrassing corporate security breaches, one in four companies fails to conduct any IT risk assessment. And 42% say there are areas of their information technology audit plans that cannot be addressed because of a lack of resources and expertise.
Roy Harris | 06 Oct | Read more
A Risk Register, also referred to as a Risk Log, is a master document which is created during the early stages of your project. It is a tool that plays an important part in your Risk Management Plan, helping you to track issues and address problems as they arise.
Communicating the risks of IT to the enterprise is crucial in preventing security risks arising in the first place, according to the Information Systems Audit and Control Association’s (ISACA) international president, Ken Vander Wal.
Lisa Banks | 19 Sep | Read more
Online community groups are enticing because the members share common interests. But they also can cause people to make risky financial decisions.
John P. Mello Jr. | 18 Sep | Read more
I have created my own interpretation of what a good pragmatic Security Operations Model (SOM) would look like. This has been adapted from a number of Security Frameworks and Industry Good Practices like ITIL, COBIT, NIST, OCTAVE, OWASP and the ever present ISO 27001/2 all of which have an input into the structure and makeup of an effective security operations framework or security operations model.
Puneet Kukreja | 13 Sep | Read more
IBM plans to acquire risk analytics company Algorithmics for US$387 million, a deal that IBM said on Thursday will bolster its risk management offerings in light of increasing regulation in the financial markets.
Jeremy Kirk | 01 Sep | Read more
For years, professionals of the information security industry have been advising and using risk-based approaches to securing organisations and their information assets. This has been the received wisdom for so long that this is now encompassed in industry standards, such as ISO 27001, FIPS 200, etc.
Charles Wale | 19 Aug | Read more
Managing consumer or citizen identities comes with two key problems--scale and cost--prompting organizations that require onboarding, authentication, and <a href="http://www.csoonline.com/article/684895/password-management-systems-how-to-compare-and-use-them">password management</a> to look for ways to outsource this effort. Entertainment websites, online retailers, and even US federal government-to-citizen websites are experimenting with a federated model for more of their identity management life cycle. By using single sign-on (SSO) and attribute-sharing between "social" identity providers (IdPs) (i.e. Google and Facebook) and relying parties (RPs), this model effectively reduces cost and improves the customer experience.
With the surge in <a href="http://blogs.csoonline.com/hacktivism">hacktivism</a> and nation-state espionage in recent years, not to mention the continuing high levels of cybercrime, companies need better tools to evaluate the quality of any developer's code.
Robert Lemos | 29 Jun | Read more
Online storage service Dropbox accidentally turned off password authentication for its 25 million users for four hours on Monday -- although "much less than 1 percent" of those accounts were accessed during the period, the company said. It is still investigating whether any of those accounts were improperly accessed.
Jeremy Kirk | 21 Jun | Read more
Members of the Open Group's Security for the Cloud and SOA Project have launched a new <a href="http://www.csoonline.com/article/505871/the-curse-of-cloud-security">security architecture for the cloud</a>, to help security organizations better understand the unique security aspects of cloud computing.
Bob Violino | 20 Jun | Read more
Compliance is a natural extension of a vulnerability analysis tool. Normal vulnerability scanning includes searching for unpatched systems, unprotected directories and other errors in configuration.
Joel Snyder | 20 Jun | Read more