Rightsizing GRC Implementations

Many GRC programs were initiated out of fear of noncompliance with a specific regulation and the sanctions and penalties that the organization could face. When implemented to address specific pain points, GRC efforts can be added in an ad hoc and often siloed manner as other pain points emerge. Organizations need to focus on rightsizing…

Tis the season for Resolutions

Holidays are a time of giving, and the beginning of the year is a time for resolutions. A few years ago I made a resolution to eat more bacon because it made me happy. Two years ago, I made a resolution to go to the South End (a section of Boston) more often because they…

Old-School IAM for New-School Security Risks: Attestation, Separation of Duties, Account Audits

“The thief who is harder to detect and who could cause the most damage is the insider—the employee with legitimate access.” This attestation is found in The Insider Threat, a publication by the FBI’s Counter-Intelligence unit. Consistent with everything I know about law enforcement’s perspective of criminals, the FBI’s publication provides an interesting and useful…

Secure Crypto: Weak Ciphers Be Gone!

There are a number of cryptographic algorithms that, for one reason or another, should no longer be used. Current TLS specifications and implementations still allow the use of these ‘weak’ algorithms and businesses are still using them. In TLS, the cryptographic algorithms used in a connection are bundled together to form cipher suites. Each cipher…

Enterprise Risk Management Processes: Room for Improvement

Increasing risk is driving many organizations to adopt formal processes for enabling risk management. Despite this increased attention, less than one quarter have complete risk management processes in place. A recent survey conducted by the ERM Initiative at North Carolina State University on behalf of the American Institute of Certified Public Accountants looked to uncover…

Steel Mills and the Security of Critical Infrastructure

In late December, the German government issued a report about a cyber attack on a steel mill that resulted in significant damage to that facility. The attack has received extensive publicity since then, from the BBC to YouTube, including a detailed analysis of the attack by SANS. Many of these reports, such as the one…

Managing Distributed Risk: A Strategy for Minimizing Risk from Third-party Engagement

If you’re like most IT professionals, you’ve noticed that your roster of third-party providers continues to grow. Whether you’re using software as a service (SaaS) applications (as virtually every organization does), offshore developers, cloud services like infrastructure as a service (IaaS) or platform as a service (PaaS), or document share solutions, you probably have a…

How Focusing on GRC Processes Can Improve the Business

As the risks that organizations face increase and mandates become ever more prescriptive, effective governance, risk management, and compliance (GRC) implementations have become core to the business. To make these projects more successful, organizations need to focus on business issues and processes before moving on to implementation. According to ISACA, putting in place repeatable processes…

Security Hipsters Meet The Mainstream

“Well, my boyfriend’s in a band, he plays guitar while I sing Lou Reed. I’ve got feathers in my hair, I get down to Beat poetry. And my jazz collection’s rare, I can play most anything. I’m a Brooklyn baby.” – from Brooklyn Baby by Lana Del Rey.   Whether we like it or not the…

How Risk-Based Authentication Can Improve the Authentication Experience

Authentication should be both as reassuring and as transparent as possible to the user. Risk-based authentication (RBA) can improve the authentication experience if used correctly. Users want an authentication solution to be strong enough to protect their digital assets, but they do not want to be inconvenienced with clunky technology that negatively affects their experience.…