How can it be that firms can feel confident in their security technology investments and their people, yet ultimately still believe that they remain at great risk?
A brief Q&A with Blake Frantz, director of benchmark development, security benchmarks division, Center for Internet Security (CIS).
Thanks to BYOD, gone are the days of one single mobile device manufacturer or model to support, says Dimension Data Americas' Darryl Wilson.
Unfortunately, data security and regulatory compliance requirements do not evaporate in the public cloud, says Vormetric's Ashvin Kamaraju.
Espionage and fraud in cyber is not an armed conflict, says SystemExpert's Jonathan Gossels.
Cyber espionage is at an all-time high, and businesses across the United States are being targeted and breached, says Phillip Ferraro, CISO, DRS Integrated Defense Systems and Services.
Lets just stop preventing what seems to be unavoidable and figure out how to enable our users to operate securely on a completely compromised device.
Finance companies should adopt an approach of least privilege, which takes into account security and productivity by granting users only the rights necessary to carry out their jobs.
While intellectual property theft at the hands of regular employees may not yield the provacative headlines as a Chinese military unit spreading APTs from an office in Shanghai, the former scenario is the more likely one.
Security professionals must toe the delicate line of assessing and responding to legitimate risk and being mindful of an organization's needs. Working in their favor is belief that protecting sensitive data is a fundamental component of any business operation.
As interest in the public cloud remains strong, a security expert makes sense of new recommendations for securing payment card data in those environments.
Tupac Shakur once sang, "The old way isn't working so it's on us to do what we gotta do to survive." That too goes for information security professionals, who are being tested like they've never been tested before.
Cyber war is not as common as the mainstream news cycle would have us believe, but its definition is not as cut-and-dry either. Just because nothing is blowing up doesn't mean it isn't happening. It's all about the context.
From "booth babes" to vapid marketing lingo to directionless conversations with vendor reps, one industry veteran wonders how information security professionals can take the RSA Conference showroom floor seriously.
Dominic Vogel, IT security analyst at a financial institution in British Columbia, Canada, shares how he entered the information security field and the challenges he faces.
IT trends - cloud, social networking and BYOD - are making the practice of security management complex, and are forcing organizations to shift to a risk-management perspective.
Prior to a job switch, ask questions to learn if the company you are considering is in good shape, says former Yahoo CISO Justin Somaini.
Information security executives must work to "engineer" their organizations to be better, faster, cheaper - and more secure, says Rafael Diaz, CISO, state of Illinois.
One of sternest challenges for security professionals is finding the person who can best communicate the significance of data protection to senior management. It can be done, but sometimes it takes a little bit of luck.
The days of refusing to look for possible IT and security threats with the potential to result in the loss of customer data are over.
As the bring-your-own-device movement becomes commonplace and better managed, it's time for security pros to move their focus toward securing the mobile application.
This phenomenon sees applications designed for consumers - such as Dropbox, Skype, Google Apps, WordPress, GoToMyPC - finding their way into the corporate tool box.
The increase of systems automation and monitoring within manufacturing companies has led to increased demand for certified automation systems professionals.
This month's "Me and my job" features the University of Connecticut's senior network technician, Mike Lang.
This month's debate covers Hacktivist group Anonymous. Will they take a backseat to more extremist groups in 2013?
The ever-changing nature of malware generates anomalous network behavior that can be detected by leveraging large corpuses of data collected from multiple observation points.
Security pros should be less secretive, says New York City CISO Dan Srebnick.
The data center business model must evolve with cloud's demands, says NJVC's Kevin Jackson.
I was dismayed and disturbed by the suicide of Aaron Swartz, which only added to well-rooted revulsion for the relentlessness of legal actions against him.
A more substantial enterprise mobility framework can be conceived with a combination of NAC, MDM and MAM based on organizational requirements.
If properly cultivated through effective education programs, employees can shed the moniker of "weakest link" and become an organization's greatest security asset.
There's no denying that CSOs will have to deal with bring-your-own-device sooner or later, but ultimately it will lead to an enhanced workforce.
When seeking to attack social networking sites, miscreants don't even have to bother with the client or the server, yet a similar outcome could result. Now is the time for these platforms to prepare for what's to come.
When building new systems, security must be as foundational as performance and capability. Because without such a model, the risks associated with today's IT environments will only worsen.
Debate: Bug bounty programs - offering monetary rewards to researchers - help make companies more secure.
The proposed Cyber Intelligence Sharing and Protection Act (CISPA) is galvanizing government and industry over whether we need federally mandated security legislation and what it should look like.
If no one can guarantee an organization is hack-proof, then perhaps it's time for a more practical approach - cyber liability insurance.
As employees use more consumer-grade applications and access more corporate data from unmanaged mobile devices, the network perimeter continues to disappear - along with IT's ability to enforce appropriate security controls.
BYOD has empowered the modern workforce, improved productivity and allowed companies to deliver better services to customers and partners. Forrester sees a continuation of this trend into 2013 and beyond.
The best run organizations can find a number of blunders lurking in their firewall rules.
When you consider how many stakeholders are invested in Microsoft's Patch Tuesday, it's no wonder the monthly affair stirs up so much energy in the cyber world.
Distributed denial-of-service attacks are becoming more potent, and truth be told, they're often difficult to stop.
With a new year come new challenges. But while many see bring-your-own-device gaining momentum, more organizations may be ready to issue their own handhelds to employees.
Understanding your organization's security posture can mean the difference between data that's protected from attackers and a breach that can result in major financial and reputational harm.
The convergence of communications, VoIP and multimedia systems (video conferencing, webinars, peer-to-peer) has increased the demand for engineers capable of designing and managing systems.
A Q&A with Brian Calkin assistant director, Multi-State ISAC Security Operations Center at the Center for Internet Security.
As the threat landscape continues to evolve, one malicious tactic has stood the test of time: distributed denial-of-service attacks (DDoS).
We all know what we spend internally, but how do we get reliable, timely information for comparison purposes?
As network security grows more elusive, CxOs need to ask their IT departments some tough questions.
This is the age of bring-your-own-device, and it is too late to turn back now.
From mobile devices to the cloud to the supply chain and beyond, next year is certain to bring with it fresh set of information security challenges.
Companies that acquire patents for sole purpose of suing other companies is limiting IT security innovation, which, in turn, is making users less safe.
It's true: There are certain attacks that no security technology will be able to stop. But the situation isn't entirely hopeless. How organizations respond to an active threat can make all the difference in the world.
As the level of sophistication of digital attacks grows rapidly, targeted organizations must devise a strategic, military-like response.
The theater of risk has changed from network service-based attacks to attacks against the endpoint.
Debate: A White House order on cyber security would be a step in the right direction for safeguarding networks.
A Q&A with Grant Babb, proactive investigations program manager for Intel IT.
Sixty percent of the venture-backed IPOs issued in the third quarter of this year are IT related.
While some instances of Stuxnet and Duqu found their way into seemingly unplanned locations, the majority of occurrences were localized to targeted systems.
Though standards lack, sharing threat data is vital, says EMC's Christopher Harrington.
As device adoption continues to grow, the importance of implementing a secure enterprise mobility program cannot be understated.
Stuxnet kicked things off, and since then, there's been an explosion in sophisticated viruses targeting businesses and critical infrastructure in the Gulf region. But, prevention is still an option.
The plot of "Skyfall," the 23rd installment of the James Bond franchise, is built around the theft of a hard drive containing personal information of a bunch of secret agents.
Companies are permitting BYOD even if they have policies against it. But a set of best practices, covering areas such as IT inventory and device detection, can mitigate many of the corresponding risks.
As the threat landscape evolves, more organizations are finding themselves responding to security incidents.
David Balcar, security adviser practice manager at Novacoast discusses various aspects of his job.
With billions of devices worldwide running Java, Oracle faced a debacle in August as the details for two zero-day exploits in its popular software were leaked and actively used in attacks.
Debate: Flame, Stuxnet and other APTs are hype, but you should still be extremely worried.
In the age of mobile, social and cloud, the so-called perimeter that businesses have been protecting for years is now dead.
Most BYOD discussions focus on technical issues, such as how to identify offending devices, how to keep them off the network, or how to limit the types of devices. But nobody is talking about the human element.
We must resolve issues around data sovereignty, says Capgemini's Joe Coyle.
The Payment Card Industry Security Council is working to foster greater PCI expertise across the industry.
With DDoS attacks garnering more public attention than ever, crooks are taking advantage of the craze by providing online attacks in exchange for cash. What can your company do to avoid being a successful target?
When it comes to insider threats, we often focus on implementing technologies and auditing at the endpoint, but it's the user behavior that we have to get a better grasp of.
There may be no silver bullet to detect or prevent insider threats, but there are sophisticated technological solutions that can help.
One of the many challenges that industry professionals face today is categorizing data within their own network. But there are ways to minimize the headaches and still ensure security.
The personally identifiable information found on social networks are a gateway for hackers to get access to the heart of the information they truly desire.
With the job of the information security chief becoming more integral to the business' bottom line, it's important to make sure you're living up to the responsibility.
There's a high demand for sales engineers who can provide the technical expertise to align solutions with clients.
A Q&A with Adel Danesh, manager, enterprise systems at The Hospital for Sick Children in Toronto.
If our greatest vulnerability is the human factor, then why is it neglected?
Trojans can propagate further - without detection by anti-virus applications - when they are digitally signed.
Flame's cryptofunctionality silenced all the haters, says F-Secure's Mikko Hyppönen.
Policies form the cornerstone of the information security program and are instrumental for enforcing global consistency, driving change and launching enterprise programs.
If there are two trends that have created a multitude of issues for security professionals, they're cloud services and bring-your-own-device. But there are ways to manage them.
Considering the endless march of breaches, it may be time to scrap the belief that adequate passwords -- or even passphrases -- can prevent hackers from breaking into corporate environments. Instead, security pros should focus their efforts on gaining visibility into their networks.
The increasing connectedness of infrastructure increases the cascading effect an attack can have on other infrastructure sectors and capabilities.
Many of today's applications are designed to work over any port, which increases chances they won't be blocked by firewalls.
Only through collaboration can government and the private sector thwart cyber attacks, says Raymond Choo.
Consensus needs to be developed around how critical infrastructure is defined, says Mark Clancy, managing director and CISO for The Depository Trust & Clearing Corp.
The hacks of the tomorrow may target devices one never thought could be susceptible to compromise, like dishwashers and refrigerators. But a hypothetical glimpse into the future may make you think differently about what's to come.
The active pursuit of online criminals by authorities serves a valuable purpose, but often it ends up netting lesser fish and doesn't complete the entire equation of what is needed to battle today's slick adversaries.
The challenge that Big Data presents is trying to align disparate analytical islands. The answer comes in pulling all the pieces together.
Creating a privacy policy, especially in the mobile arena, can be a cumbersome task. Here's some advice for helping your customers and users gain control over their data through transparency and accountability.
After some experience with the European EMV "chip-and-PIN" card system while on vacation, the city of New York's CISO learned something about security: Don't take it for granted.
The biggest problem with corporate information security programs and policies is the lack of standardized processes, uniform control points and comprehensive testing.
When it comes to the causes of data breaches in health care, don't forget human goof-ups.
Expect a sea change in digital security over the coming years, says Richard Bejtlich.
The term advanced persistent threat, or APT, has been flung around by vendors ad nauseam over the past several years. In a sense, given the sheer number of breaches, one can't blame them. But is what they're telling you, the buyer, truthful?
The espionage toolkit known as Flame has sparked widespread awe over its capabilities. But at least some researchers already have exhibited how malware can disguise itself as a software update to infect computers.
