Jaime Chanaga, CISSP, CISA

China is officially denying any involvement in state sponsored computer hacking activities directed towards the German government.  (PC World article: German Government PCs Hacked)  A few days ago the German magazine Der Spiegel, had claimed that German government computers had been compromised by Chinese computer hackers.

Whether or not any government involvement is proved in this incident, this case does illustrate the need for governments around the world to shore up their critical and technology infrastructures from potential malfeasance by attackers.  Here in the U.S. this debate has raged for quite some time.

Too often, as citizens of any country we fail to foresee the social and economic impact which may occur as a result of a major attack in critical infrastructures including the Internet.   Today the Internet is intertwined into almost every facet of our daily lives.   Its time we as citizens of the world, ask our governments to invest in protecting the critical and technology infrastructures that impact our daily lives.

I would guess it may be easier for a state sponsored terror network to create panic in any country by knocking out the technology infrastructure, thereby impacting our telephones, cellular phones, on-line banking, air traffic control systems, building environmental controls, etc. than it is to do physical harm to any of our airports, schools, shopping centers, etc.

If governments don't wake up to the fact that critical and technology infrastructures must be better protected, we could wake up one morning back in the stone age--without the conveniences of the modern world.

Identity (ID) theft is a serious crime affecting people from all walks of life.  Now it seems this type of crime has also affected some American millionaires and billionaires.

InformationWeek.com is reporting (http://www.informationweek.com/security/showArticle.jhtml?articleID=201800899) the announcement from Manhattan District Attorney Robert M. Morgenthau (http://www.manhattanda.org/whatsnew/index.htm) regarding the arrest of members of an id theft gang who targeted billionaires from Forbes magazine's list of the 400 richest Americans.

I believe the law enforcement community acted appropriately in setting the year-long undercover operation that has led to these arrests.  Hopefully these criminals will be convicted of their crimes.  However, this case makes me think there is another incident worthy of criminal prosecutions.

In January, TJX Companies, Inc. (NYSE:TJX) disclosed the largest credit card information data breach affecting thousands of American consumers. The reality is that although this security incident affected thousands of consumers, it hast not warranted or yielded ANY criminal prosecutions to date. Last week TJX Companies, Inc. announced that costs from this massive data breach may surpass $118 million dollars. 

Perhaps soon we will read the news wires and find the culprits behind the TJX data breach are also being prosecuted for ID theft criminal actions affecting thousands of consumers--not just the uber-wealthy.

Jaime

5. Lead with integrity
Personal and professional integrity should be at the core of a security leader’s beliefs and actions.  In today’s business climate, unfortunately corporate scandals show some executives sacrificing their personal and professional ethics.  True excellence and leadership demands executives hold strong personal and professional ethical standards.

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

The American Heritage® Dictionary of the English Language (Fourth Edition.  2000) defines the word "integrity" as:  "Steadfast adherence to a strict moral or ethical code."

Leading with integrity the definition of what some might call ethical leadership.  However, being a leader doesn't guarantee that your are being ethical in all that you do.  Likewise, being a person with high moral and ethical standards doesn't transform you into a leader.  However, being a professional that leads with integrity in every action you take will ensure long-term success for yourself, your organization, our community and society.

I challenge all business professionals and leaders--it is time we lead with integrity in our work and everything we do.

Jaime

4. Value people
Too often security executives fail in their leadership fail to forget that building relationships and trust with people are the secret to long term success.  Learn to build relationships based on trust with your subordinates, peers, and partners to enhance your leadership performance.

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

The number one reason why organizations relegate their business partners as "vendors or suppliers" is the fact most "business partners" fail to develop deep personal mutually trusting relationships with those organizations.  Business partners become more obsessed with "the next sales cycle" and forget about caring about their partner's business issues.

As a former CISO health care industry, I can remember working with some technology partners, who wasted the opportunity for building a long term mutually beneficial relationship with our health care organization.  These partners were more interested in earning sales commissions, often recommending solutions and services that did not address our most important business strategic issues.   Unfortunately for those partners, they were relegated to "vendor" status quickly.   "Vendors" who threw away their product brochures, listened to our needs, and genuinely cared about our work of healing people and helping the manage disease, they quickly became our business partners--they became our valued partners.

Early in my career path, I made the mistake of not valuing the talent, hard work, and contributions of subordinates, peers, and partners alike.   Since then, I've made a conscious effort to correct those mistakes.  Forget hierarchies and organizational charts.  Treat everyone the same, with respect, dignity, and value them for who they are.  Your life will be enriched beyond measure--as my life has been blessed.

Jaime

3. Be innovative
Innovation in security management is critical to achieving excellence.  Don’t be afraid to try new ways to protect your IT assets and organizations.   Those people determined to break your information security are using innovation and creativity to find new ways to breach your information security defenses. Don’t be afraid to innovate and be creative in protecting your information assets and organizations.

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

In my previous blog post, I mentioned that technology alone won't solve all of our security challenges.   Today security challenges faced by organizations are not limited to technology.  In order to effectively address ever evolving challenges, security leaders must be innovative and creative.   

One organization that has been characterized by its ability to foster innovation and creativity is the U.S. space agency NASA.  Every time I witness a U.S. Space Shuttle launch, I'm amazed at the incredible combination of science and innovation that has driven NASA to turn an impossible feat, of putting men and women into space and earth orbit, into a routine event.  NASA has found one of the timeless secrets of true long term success for any organization--the ability to harness the incredible power of innovation and creativity.

I challenge you as leaders and organizations to foster innovation and creativity in all you do.  You may be surprised at the long-term business dividends.

2. Learn from failure
Failure is a road map to success.  Learn from your failures in security management and from the mistakes of others.  Don’t be afraid of taking risks, failing, and then learning from failure.  Thomas Edison never gave up, even after 10,000 failures when trying to invent the incandescent light bulb.  Have you failed 10,000 times in your security management leadership?  If not, then don’t give up!  Learn from failure!

-- From (http://blog.csoboard.com/cso/2007/07/security-excell.html)

One of the important lessons often over looked by security professionals and executives is simple: Effective security is not achieved with technology alone. 

Senior security executives (CSOs/CISOs) often are forced into untenable positions, when business units in their organizations ask for security solutions as an afterthought to information technology (IT) initiatives.  CSOs/CISOs are then forced to provide quick technology centric solutions to those business and IT requirements--setting aside the lesson that effective security is not always achieved with technology alone.

It is your responsibility as a security professional and executive to break this cycle of reactionary effectiveness.  If we are to be effective security leaders, we must create the personal relationships within our own organizations--across business units with other leaders--to make our work a strategic part of the business.  As a security professional and executive, when was the last time you reached out to other business units to understand their business problems? 

We can add value to every corner of our organizations.  The lessons are out there for us to learn and put into practice.  If you have a lesson you'd like to share with me and the other readers of this blog, please leave a comment or email me.

Wishing you continued success in your security leadership.

Jaime