More than a Balance: Privacy and Security as Partners in Trust

I was in Dublin recently to speak once again at the Secure Computing Forum. The theme this year was “Security and Privacy: Getting the Balance Right”, so I talked briefly about the KPMG report that I discussed in my 2013 blog on “Balancing Security and Privacy”, in particular the KPMG conclusion that “A balance can…

A Look Back at RSA Conference 2014

For the last 23 years, RSA Conference, the largest information security event across the globe, heads to California. The conference provides a platform for industry leaders to discuss the hot topics that are changing the security landscape; market trends, new technologies and techniques that combat the latest threats, the evolving disruptors, and changing threat actors…

Battle of the Botmasters

Our primary mission at RSA FirstWatch, is to find new intelligence about advanced threats and malware.  We don’t often look at old intelligence, but recently one known botnet published a list of new Dynamically Generated Domain names, and it caught our attention.  As we investigated, we were surprised to find out that one malware family…

Unlock the Power of Cloud-Based Provisioning

According to March 19 study entitled Hosting and Cloud Go Mainstream: 2014, more than 45 percent of organizations are beyond the pilot phase of a cloud deployment, and 32 percent now possess a formal cloud computing plan as part of their overall IT and business strategy.  The results demonstrate a stark increase in the use…

IT as a Service Competes Against Managed Services

There’s been a lot of focus on managed services in IT, and for many organizations—particularly smaller organizations—it probably makes sense to engage managed services providers rather than trying to manage IT internally. For organizations that do have an IT department, though, there is an emerging business model for IT called IT as a Service (ITaaS).…

IAM Lessons Learned from the Sochi Olympics

Writing about the Sochi Olympics' shortcomings feels a bit like piling on. Shoddy workmanship, decidedly un-brisk 65 degree weather, Bob Costas' double pink eye, and bathroom doors that require a MacGyver-esque level of ingenuity to open have been reported and re-reported, tweeted, and lampooned. @Sochiproblems has more followers than the game's official Twitter account, GQ…

Bad Decisions Made Faster: How Qualitative Security Risk Assessments Are Making Things Worse

Once there was a leadership team that was exceedingly fond of using risk assessments to make business decisions about information security. The team cared little for detailed discussions about threats, vulnerabilities, technical exploits, or a host of potential security controls. They wanted their subject matter experts on information security to explain clearly how their recommended…

Fuzzy Math: The Security Risk Model That’s Actually About Risk

Sharpen your number two pencils everyone and use the following estimates to build a simple risk model: Average number of incidents: 12.5 incidents per month (each incident affects 1 user) Average loss of productivity: 3.0 hours per incident Average fully loaded cost per user: $72 per hour Based on this information, what can your risk…

So What *Is* the Risk of Mobile Malware?

Obvious, or oblivious? Short-term predictions eventually tend to make us look like one or the other—as Art Coviello astutely noted in making his own predictions for the security industry in 2014—depending on how they actually turn out. (Long-term predictions, however, which require an entirely different level of thinking, are evaluated against a different scale. For…

How to Enable BYOI in 1-2-3

I find myself really interested in users driving changes in security today, especially when it comes to IAM.  You’ve heard the acronyms – BYOI, BYOD.  You’ve heard the term “the consumerization of IT.”  How can you, as a security professional, turn these to your advantage as opposed to something that is forced upon you? Sure,…