5 Essentials for CISO Success

Being a CISO ain’t that easy nowadays. Actually, I am not sure if it ever was. Besides the obvious attributes of a good employee; honesty, integrity, confidence, good staffing, etc., what makes a good CISO and what makes a great CISO?

Through conversations with other security professionals and my own observations, I noticed five essentials that great CISOs consistently do well.

DISCLAIMER: In case you thought otherwise, information security is a holistic discipline and this article is not intended to be all-inclusive. To do so would require volumes of books and experience.

Essential # 1: If you want someone to buy, you need to sell
This is always a challenge for me as deep down I am an introvert. I would be fine if all I had to do was work at my computer all day long, but I would make a much better analyst than I would a CISO. CISOs need to be visible and sell the programs they sponsor. CISOs need to sell everyone from the CEO to the backroom mail worker on how information security can help them conduct business better. People will buy into the concepts and ideas that make sense to them so spend time explaining how security benefits all stakeholders in the company.

My action item:
Each day I make it a point to talk to someone I have not talked to before in the company. Usually during casual conversations I find the opportunity to evangelize.

Essential #2: Align security initiatives with the business objectives
This seems simple enough, but unless a CISO actively seeks an understanding of the businesses goals and objectives they will not be known to him/her. Be careful not to make strategic decisions based on assumptions.

Too often security is viewed as a barrier to conducting business with no tangible benefits. As much as it is my job to protect the company’s information assets, it is equally my job to ensure that security does not get in the way of business and where possible enables it.

My action item:
Actively seek an understanding of the company I work for as each opportunity presents itself. Volunteer for committees, attend meetings on time, and ask questions regularly. When I ask questions I ask them in a manner that conveys my desire to understand and help.

Essential #3: Compliance is not the “end all”
Obviously compliance is very important and all companies face some type of regulation, rule, guidance, or law that they have to contend with in relation to the management of information. I have always viewed compliance as the things that a governing body makes us do because we were not doing the right things to begin with. If companies had adequately protected sensitive information all along, we would have much less red tape to deal with today.

The security program I am responsible for is not designed specifically for compliance but is built specifically for the business. If the security program I manage is managed well, then compliance will be mostly automatic. During audits, answer what is asked and provide what is requested, nothing more and nothing less. If there are deficiencies, attend to them and ask why it was not already designed into the program.

Essential #4: Train, inform, remind and reward
This cannot be underestimated, but in most companies it has been for a long time. How can you expect the users in your company to abide by the rules dictated in policy if they are unaware of the rules and/or do not know how to apply them to their work? In order for users to understand, they must be trained. In order for users to develop good habits, they must be consistently reminded. In order for users to care, they must be rewarded.

Believe it or not users believe they have more important things to think about than information security and in many cases they are right.

My action item
Create an information security training and awareness policy and obtain the approval of business executives. Develop an effective information security training and awareness program. Involve business unit leaders in the process of training and awareness program development.

Essential #5: Information will inevitably be compromised, detect and respond
Business information WILL be compromised through unauthorized disclosure, alteration, or destruction. This is an absolute fact. Prepare for detection and appropriate response.

My action items
Develop standards for various detection mechanisms and logging facilities throughout the organization. Detection and logging should overlap and be redundant in design and implementation. Develop incident response policy and procedures, then test them regularly.

Conclusion
These tips should only compliment what is already being done by an effective CISO. Wouldn’t it be nice if it were all this simple? Read more!

7 Easy tips to help ensure your child's internet safety

I have a couple of teenagers and another child about to become one. I am a caring father and a professional in the field of information security. Naturally I am concerned about the well-being of my kids when the use the Internet.

These are few tips based on my own experiences with my own children.

1. Talk to them
I have talked to many parents that claim to have an open dialog with their kids. There are basically three types of relationships with respect to parent-child dialog as I see it.

There are parents that have an open dialog with their kids, there are parents who think they have an open dialog with their kids but don't, and lastly there are parents that don't have an open dialog with their kids and they know it. The best method to approach your child will largely depend on which group you are in.

I like to consider myself as having an open dialog with my children but I am not naïve enough to think I know everything of what they do. Make attempts on a regular basis to sit down and learn how your kids use the computer. Get involved with them. Ask them to teach you about MySpace, instant messaging or the newest online game. I know my kids enjoy my involvement.

Parents who do not have an open dialog with their children need to start NOW. It may be difficult at first and your child may wonder “what’s the catch”. I urge you to stay consistent and build a habit out of demonstrating interest. Of course, counseling is always an option too.

Whatever you do as a parent, do NOT ignore the risks or think that they won’t affect your children. A false sense of security is no security at all.

2. Set boundaries
My children are not allowed to use the computer any time they wish. There are rules and boundaries to their usage. If I did not set boundaries, I am sure my kids would use the computer until their fingers bled. Your rules depend on your household and/or your beliefs, but set rules and communicate them effectively.

Just some of my boundaries:
- No computer usage until homework is done. (I do follow-up with teachers)
- There are only certain sites that I approve off.
- Very limited computer usage during nice days
- You must ask me before using the computer
And others…

If it helps, write your boundaries down on a piece of paper to share.

3) Work with them (will they let you particpate too?)
My teenage son loves to play games online, and I am not one to miss out on the fun. Last year we were talking about the games he plays online. He got me hooked on an online role playing game called Runescape. I am a game addict, so I have to be sure I follow some boundaries of my own! It's fun to share what we do and brag about our accomplishments.

My teenage daughter is more of a socialite, so her choice of Internet locations are MySpace, YouTube and blog sites. When she finds something interesting, she will share with me. When I find something interesting, I will share with her. We have a great time laughing about what we find.

IMPORTANT: Give some semblence of privacy. This is especially true with my daughter. She needs her space, so I do not hound her constantly about what she does. I realize that she needs to have private conversations from time-to-time with her peers. This is a balancing act. Allow her to have her space, but keep tabs too.

4) Stay consistent
My children don’t think twice when we talk about our Internet usage or safety. I don’t change the rules and I don’t spring things on them. There is an understanding built on trust and consistent clear communication. Stay consistent in the message and rules.

Equally important is to stay consistent in the punishment. Recently my teenage daughter broke one of my rules. Not a major rule, but a rule nonetheless. She lost computer privileges for two weeks. She knows why she was punished and she knows I care.

5) Understand the risks
Do some research and speak with facts. Don’t expect your children to take you at your word, especially if they are told differently by their peers. Once you are armed with facts, share them with you kids. Ask them how they feel about it.

Good resources for the facts:
SafeKids
National Center for Missing & Exploited Children
FBI: A Parent’s Guide to Internet Safety
MySpace: Safety Tips

Do some searches. There is much to learn!

6) Observe
This is a very simple tip. Have your children use the computer in an easily viewable location. Explain to them the reasons why.

7) Install controls
There are plenty of parental control software options on the market. I have used and can recommend Net Nanny. Install the software per the manufacturer’s specifications and check the access logs regularly. Follow-up with you children on any unusual changes in Internet access behavior.

Conclusion
None of these tips alone or in combination will guarantee your child’s Internet safety, they will only reduce the likelihood of something bad happening. I feel much better about my children’s safety since following these seven tips and our relationship has only become stronger.

Take an active role and don’t be intimidated by the technology or your children’s perceived mastery of it! Read more!

Getta Lotta Spam? Some tips for you, next time.

6.7 million cans of SPAM are sold each year in Hawaii, which equals 5.5 cans per year per Hawaiian. Those Hawaiians like a lot of SPAM. Interesting, but I think I got the wrong spam.

The "other" spam, the electronic variety, the kind that most Hawaiians don’t like. Now, I got it.

Some folks are calling 2007 "The Year of Spam", and maybe it will be. After all, IDC predicts 40 billion (that's 40,000,000,000) spam email messages will be sent worldwide this year. Couple this volume with the fact that spammers (those who are responsible for sending spam) are ever changing their filter-evading techniques means more spam reaches inboxes of people like you and me. Spammers are sneaky &#^$@*es.

Understanding the Spammer
Have you ever asked yourself why spammers spam? The answer is simple, money. Spammers make millions of dollars sending spam. It’s business to them, plain and simple. There are many ways that spam equals money for the spammer, from people actually buying goods advertised in spam emails to pay-per-click scamming. Spammers will do whatever it takes to get their email into your mailbox.

What spammers are doing is illegal, right? True, but spammers don’t care. The way they operate makes it very difficult if not impossible to catch and prosecute them. Spammers often use “bot” networks to send their emails through hundreds or thousands of unsuspecting hosts. Bot networks allow the spammer to hide his/her true origin. To complicate things more, the spammer may be physically located in another country.

Although there is no tool or technique that will guarantee you and I won't get spam email, there are things we can do to reduce our chances and/or the amount of spam email we receive.

‘Nuff of that, Now some Tips

Tip #1 - The obvious? Use anti-spam software and/or appliances. There are some useful programs on the market for personal computers and some good appliances for corporate environments. My favorite for personal home computers is SPAMfighter, and my favorite appliance is Tumbleweed. Your mileage may vary so check out what is a best fit for you.

Tip #2 - Use care in disclosing your email address. When posting in public forums (newsgroups, web sites, blogs, etc.) do not use your real email address. You can obfuscate your email address and still let people contact you, i.e. change email@trustedtoolkit.com into “ee em ay eye el at trustedtoolkit dot see oh em” or something else. You get the picture.

Spammers use various techniques for obtaining email address to send spam to. One of the easiest is to scan the Internet for patterns matching email addresses.

Tip #3 - Do not click links in spam emails. If a spam email gets through to your inbox, don’t click any links. If you click a link, chances are very good that the spammer now knows that you are a “live” person and the email address they have is good.

Tip #4 - Do not load images in emails automatically. The same premise in the tip above applies. Image spam is a very popular filter-evading technique these days. If you load images automatically in a spam email, chances are good that it contains a link that the spammer can track. Most email clients enable you to control how/if you load images in emails. Check your program for its capabilities. If you can live with “Text-only” (no HTML) email, then all the better.

Tip #5 - Do not “unsubscribe” to spam email. Spammers won’t take you off their mailing list; they will instead add you to the “active” or “confirmed” email list. The same premise in tip #3 applies. The unsubscribe link in the email lends some tiny semblance of implied legitimacy to the email in some people’s minds. No spam should be considered legitimate email.

Tip #6 - Read privacy policies. I understand that reading privacy policies is a pain in the rear for most people. Some privacy policies are a pain in the rear for me to read, and I read almost every one I encounter! Before I type my email address into an online form (encrypted, mind you), I check to see if the company or site has a privacy policy. If they do not, I will make a serious judgment call as to whether or not I want to share ANY of my information. If they do, I check the mention of how they will use and share my information, including my email address.

Tip #7 - If buying something online, read all the checkboxes during checkout. On many checkout pages there are checkboxes that state something like “share my information with partner companies” or “subscribe to company xyz news”. Don’t just skim over these checkboxes and continue on with your order. Read what they say and be sure that you have checked or unchecked the appropriate boxe(es).

Tip #8 - If you have a spam infested mailbox, consider a new email address. If your email address is “out there” meaning that it has been publicly posted on web sites, forums, newsgroups, etc. and you are getting an ample amount of spam, it may be time to consider a new email address. There are no methods I know of for cleaning your email address off the Internet, and spammers already have you in their lists. Might be time to “cut and run”.

Of course you could always choose not to use email.

I did not cover IM spam, Cell-phone spam, or any of the up and coming spam techniques being employed actively today. Maybe I will later. Read more!