The Evolving role of the CISO

The CISO's role has been evolving over the years. It is moving away from so much emphasis on compliance and monitoring towards a more strategic role, particularly as CISOs get more and more access to the C-Suite. A key to success as a CISO is collaboration with and understanding the work of other business units. A large part of the job is not about technology at all. It is about relationships, project management, and learning about several parts of the business. It is a good CISO's job to adequately assess and point out the risks to the business of various projects and business practices. What are other key elements that are part of the strategy of a successful CISO? Have you initiated a balanced Security Awareness Program? Is security baked in to your company's SDLC? Are you regularly running scans of both your network and your applications? Are you monitoring your network to detect unusual activity? What about when that dreaded intrusion into your network occurs? Do you know what to do? What about third party risk? Do you have adequate InfoSec policies, standards, and procedures?

Mental illness, Homelessness, and our Security

You might ask: Why are so may people with Mental Illness out on the streets or homeless? President Reagan has most of the responsibility why so many people with mental illness are homeless. At least one third of those living on the streets and half of our jailed population suffer from mental illness, and should be in institutions specifically designed to help these individuals. During his presidency in 1980 (a sad time), Regan stopped funding federal community mental health centers, thus removing services for those people who suffered with mental illness. While he was the governor of California, he had done something just as cruel and he released over half of the mental hospital patients in the state. He even passed legislation wiping out a requirement for involuntary hospitalization for those with mental illness. As so often is the case, as the president goes, so goes the country. As a result, states followed suite, and started to open the gates of mental institutions throughout the country. Ironically, in 1981, President Reagan was shot by John Hinckley Jr., who had mental illness. Is there a connection with so many of the shooters out and about hurting and killing so many innocent people and President Reagan? I think so!

Watch out for Email Scams About the Olympics

There are reports that hackers are using a 2018 Winter Olympics Phishing Campaign that hides malicious attacks inside of an image! Why is this particularly dangerous? Not only does hiding the attack inside an image help it evade detection, but once it actually runs, it uses a technique that generally won't get picked up by traditional antivirus solutions. How is the Attack being Done? The attack is being delivered via phishing emails disguised as alerts from the country's National Counter-Terrorism Center, with malicious Word documents attached. Once opened, the Word doc encourages readers to enable content. DO NOT ENABLE CONTENT. The tricky aspect of this attack is that no download of the actual image is necessary: malicious code can be run from either downloaded images or images hosted on the web. That means an attacker doesn't necessarily need to download an image onto a machine in order to get the malicious code to run on that machine. What to do to protect yourself and your company • Do not to open email attachments from senders you don't know: You should be especially wary of Word documents that ask you to enable content/macros. • Do not click on any links in an email

Third Party Risk

A phone call or personal meeting are often crucial for success when dealing with third parties that have access to your critical or confidential data. East coast partners like morning meetings; I think they take great pleasure in doing this to us Californians to get back at us for the amazing weather we have. When we have business partners, we have to get assurance that they are practicing appropriate security and have a mature security program with good security controls. Make sure you have security standards to share with your partners, and ensure that they can follow them. These standards should cover contract language, their development environment, coding standards, ongoing assessments of their systems and processes, and much more. The last thing you want is for a breach of your data to occur and you had not done adequate assessments of your business partner.