So you think you want to be a CISO…

Information Security is a great career path, but there are a few things you should think through before starting the trek down the information security highway.  The CISO (Chief Information Security Officer) creates new security obligations within an organization and must be the enforcer of any obligations produced.  Think of it as being the first person to ever set a speed limit on the highway then tell people they will get a ticket for going over the speed limit.  If you are like most of us, you probably speed every now and then just like most computer users break security laws on a regular basis.  In case you are still thinking it sounds easy enough to be the enforcer, let’s see what all is involved in creating a successful CISO.

First, you must have an inner determination that drives you outside of receiving a word of thanks from others.  That’s because information security is more thankless than most IT jobs which is saying a lot.  Security officers must regulate data security.  The officer must enforce security regulations with everyone, including executive management.  In the real-world, that’s kind of synonymous with telling your CEO that he is not the boss.  The CISO must also obtain buy-in to roll out and enforce new policies.  Security is ever-changing, and the CISO must have a good enough relationship with upper management to be able to gain buy-in as he rolls out new changes.  It’s worth a re-mention that the CISO has to be well spoken enough that he must tell the CEO he is not the boss while also getting buy-in from upper management on new policies.  That is a tough balancing act even for the best employees.

portsec_securityThe CISO must also be willing to admit and change when a policy is not working.  Some of the most simple security changes may create a political backlash like no other.  It’s those times where the CISO must review what changed and determine the next best step for the organization as a whole.  This is yet another political balancing act wherein data must be secured while customers must be happy enough that the CISO doesn’t lose his job.

It’s definitely not easy to be the enforcer, but here are a couple of suggestions if you still want to make your way to the top of the security pyramid.  Obtain a CompTIASecurity+ designation.  This is definitely not a CISSP, but it gives you good entry level knowledge of the field which will help determine if you want a long-term career in information security.  Whether you already work in IT (Information Technology) or not, find a way to get involved with your information security department.  Someone already in IT can work to become a liaison to the information security team.  If you are not in IT, tell someone in your IT department you want to become a super user for your application and that you’d like to help make sure your department is as secured as possible.  IT departments are always overloaded and would love extra help from internal staff.


*Originally posted through the PortSec blogger.

Target hack raises serious questions about Risk Management effectiveness

Corporations spend extremely high dollar amounts each year to obtain certain information technology security standards.  Such a standard puts a theoretical seal of approval on how the corporation handles the data it stores on a daily basis both while that data is stored on a server and while it is sent between other servers.  These standards are classified, in large part, by independent engineering organizations who understand the internal functionality of the software, and by software vendors who maintain and improve the functionality of the software.  So what happens when technology advances quicker than written security standards?

portsec_targetTarget stores is a prime example.  The major store chain was hacked over the 2013 holiday season.  The chain had recently completed a network security audit which was certified by an outside company named Trustwave, but the mistakes uncovered after the breach should easily have been exposed prior to the attack.  The question is now being raised as to what steps were taken to secure the company in the most recent security audit.  Target was supposedly following the PCI-DSS security standards established by Visa and other members of the payment card industry which raises the ultimate question as to whether or not the entire risk management compliance process is flawed.

Visa Corporation, probably the most well known brand of credit card vendors, requires corporations who use their credit gateway verification process to follow a strict set of guidelines such as door locking procedures on sites where credit card data is stored, visitor sign in requirements, subsequent vendor approval, technical storage requirements for databases that hold secure information, and other criteria.  The problem arises that many of the same software vendors supplying applications to audited companies also have political ties to audit and security standards companies.  Every major company involved in software breaches over the last few years has been security audit approved just as Target was last year.

There is no magic bullet to fix these failing issues although customers will begin talking to breached companies by shifting where they spend their hard earned dollars.  New technologies may be developed to avoid similar breaches, but each company will be graded on how secure it keeps its own network by customers choosing to shop with other stores.  This gives your security team a chance to jump ahead of the pack by going above and beyond implementing procedures to fully secure your data.


*Originally posted through the PortSec blogger.

All your online security in one place

Two-factor authentication has frustrated office dwellers since its inception.  Logging into many corporate bank websites for instance requires a user name and password plus the digital token issued by the bank.  The user must ensure the token does not fall into the wrong hands and must also return the token when a device exchange is required by the bank.  In addition, many office users become lazy over time writing down their bank user names and passwords thinking they will forget the password.  This becomes a prime target for digital crooks and co-workers who know where to look for the user names, passwords, and tokens.

portsec_token-phoneThe twenty-first century brought us a new, safer, and more secure method of two-factor authentication.  Authy provides two-factor authentication in what I like to call real-world usage patterns.  Authy made the same method used in the early days of corporate websites as previously described into a random token presented on a cell phone negating use of the bank distributed token.  Even better, Authy enhances two-step authentication using a cell phone which most all of us in IT now carry and protect like a body part.

In theory, the cell phone attached to an Authy account has been verified by text that the phone belongs to the human you as opposed to only the digital you.  This process verifies you are the token user and not some random person who grabbed the token from a desk at work.  Many responsible cell phone users password protect their cell phones these days leading me to think of the password protected cell phone as a third-factor of authentication, but I digress.  The best and most convenient method of Authy is Bluetooth enabled authentication.  The technology might have glitches, but it basically automates the two-factor authentication seamlessly where the user does nothing other than visiting the website.  A token is generated at login and verified through the PC using Bluetooth on your cell.  It doesn’t get much easier than that.

As a side-note, this is not a commercial for Authy as I have nothing to do with their company.  They are the first I have seen of this technology even though I assume others exist.   Authy has excited me regarding more secure use of web accounts in the future of mobile devices.


*Originally posted through the PortSec blogger.