Introducing The SBIC Blog — Strategic Guidance from Global Security Executives

Imagine if you had regular access to a group of top-notch advisors – security leaders from some of the world’s largest brand-name companies – to help you build your security strategies? Companies like Coca-Cola, Fed-Ex, Intel, Johnson & Johnson, JPMorgan Chase, SAP and Walmart. For the last five years, the Security for Business Innovation Council (SBIC) has been publishing reports which deliver actionable recommendations from some of the world’s most accomplished security leaders. Given the immense challenges in information security today, we know that practitioners are hungry for more guidance based on real-world experiences and lessons learned. This new SBIC blog provides increased access to Council members’ valuable insights.

To Cybercriminals, The Size of a Company No Longer Matters

Gone are the days when it was thought that size of the company matters to the cybercriminals. The latest PwC Information Security Breaches Survey 2013 shows that there has been a significant rise in the number of small businesses that were attacked by an unauthorized outsider in the last year – up by 22%. Interestingly large organizations only went up by 5%. The cybercriminal has moved on to stealing intellectual property or corporate secrets as that’s where the real money is and small companies become easy targets as many do not have the resources or budgets to fully protect their information.

It’s time to understand the differences between corporate secrets and custodial data.

Safeguarding Patient Information During Crisis

In light of the recent events I’ve reflected on how valuable electronic health records (EHR) and health information exchange (HIE) participation can be in a time of crisis to immediately access critical life saving data on impacted victims. EHRs not only allow for first responders to quickly access victims’ healthcare information, but also allows for more accurate ambulatory, ER and clinical decision making in life or death situations.

The Changing Nature of the Threat – 2013, Part 2 – Migration to the Cloud

A through risk assessment should be adopted by customers to ensure that the benefits for moving on to the cloud outweigh the potential security threats. Techniques like privacy impact assessment (PIA) and ‘Plan, Do, Act, Check’ are recommended to ensure a moderate, but comprehensive change for them. Evidences shows that there may be issues involving customers meeting their legal obligations when their data are hosted outside of their local context. Hence, this will trigger issues relating to the effectiveness of existing risk governance frameworks. There should be more evaluations conducted to assess the true potential and apparent risks to protect customers and Cloud Service Providers (CSP).

Bringing ERM to PCI: PCI-DSS Risk Assessment Guidelines

In mid-November, the PCI Security Standards Council released its Risk Assessment Guidelines as a supplement to the PCI Data Security Standard (PCI-DSS). Expanding on the requirements outlined in section 12.1.2 of the PCI-DSS, the new document provides further guidance on the techniques and methods organizations should consider when addressing this requirement of the standard. Checking the box on “Do you have a risk management program?” will not be as simple as before.

Where’s my Data?

According to a recent report by Icomm Technologies, 70% of cloud data centers keep customers in the dark about storage locations. To me that is a pretty scary statistic particularly as organizations are rapidly deploying cloud storage services and there doesn’t seem to be any evidence that organizations that have sensitive or confidential data are refraining from doing so. This statistic should set alarm bells going especially in the EU where organizations that store citizen’s data must have evidence of where their data is stored.

Evolution of Cybertraining

The security industry has been following a set pattern of evolution when it comes to cyber security maturity. Since organizations face a much more dangerous threat landscape they need to be actively evolving their historical security defenses to integrate into a formal security and business risk framework.

Be Secure, Be Confident in the Cloud

Intel recently announced the Intel Xeon Processor Series that helps enable comprehensive and verifiable security and compliance in cloud environments. With these technologies Intel is providing a foundation to make cloud deployments suitable for increasingly sensitive workloads.

Learning to cook – Bake a Trusted Cloud Part 2

Proving that physical and virtual infrastructure of the cloud can be trusted can be prohibitively difficult, especially when it comes to cloud services from external service providers. Verifying secure conditions in the foundations of the cloud is important for a simple reason: If organizations can’t trust the safety of their computing infrastructure, the security of all the information, applications and services running on top of that falls into doubt.