Jaime Chanaga, CISSP, CISA

The National Cyber Security Alliance (NCSA), has announced the launch of National Cyber Security Awareness Month in October 2006.  You can read more about their press release at:

http://www.staysafeonline.info/news/ncsam06leadrelease.html

About The National Cyber Security Alliance

A not-for-profit 501(c)(3) organization, the National Cyber Security Alliance (NCSA) is a central clearinghouse for cyber security awareness and education for home users, small businesses, and the education community. A public-private partnership, NCSA sponsors include the Department of Homeland Security, Federal Trade Commission, and many private-sector corporations and organizations. For more information, and to review the top 8 cyber security practices, visit www.staysafeonline.org.

I've just finished my weekend project of publishing a free Career Resource Guide for anyone contemplating a career as a Chief Information Security Officer (CISO).  This free resource guide provides general commentary and links to educational, executive job search, and professional development for all interested in the work of information security executive leadership.

The free career resource guide can be found at: http://www.chiefinformationsecurityofficer.com.

Comments and suggestions are always welcome.  Wishing success to all interested in advancing their career in the field of information security management.

High tech criminals.  News stories point out that most cyber criminals are slowly beginning to align themselves with more traditional criminal elements in our society.  It is not surprising that cyber criminals have begun to work with organized crime on an international level.  The reasons for some can be simply explained in economic terms--organized criminal elements pay cyber criminals such as hackers and malware/spyware authors to further their own agendas.

What are the implications of this convergence in criminal behavior?  One solution to counteract this problem is simple:  business and law enforcement dialog and cooperation.  Today more than ever, those charged with the responsibilities of protecting your business organizations, such as CSOs or CISOs, must develop and foster close working relationships with law enforcement.  Law enforcement agencies can provide the support to deal with crimes committed against business entities. 

CxOs:  Don't wait until you have a threat or crime made against your company/organization to call law enforcement.   Develop collaborative peer working relationships with all levels of law enforcement. 

Law enforcement community:  Thank you for your support.  We're here to work with you.

Jaime

Corporate financial scandals have plagued companies globally in the past few years and it is no wonder that some "bad apples" in the executive ranks are leaving a disastrous legacy outside of the business environment and impacting in the lives of younger generations.

During the past few weeks, news stories have carried the account of Kaavya Viswanathan, a 19 year old author, now attending Harvard University, and who was considered a rising author of teen novels.  After proof came to light that Kaavya may have plagiarized the work of another author, her publisher Little, Brown and Co. decided to rescind her lucrative book deal. 

Today, I came across a more disturbing story that shocked me and surprised me.  Raytheon's (RTN:NYSE) CEO William Swanson, became an almost overnight celebrity for publishing a short pamphlet titled, "Swanson's Unwritten Rules of Management".  Swanson has admitted to plagiarizing the thoughts and works of other authors in his pamphlet.  His punishment is that Raytheon will not increase his salary and will force Swanson skip out on his stock awards for this year.  Not a bad punishment when your base salary is reported to be $1.12 million.

Both of these stories are a sad commentary on our society today.  How can today's leaders, senior executives, educators, parents, or each one of us as citizens expect a brighter tomorrow for future generations?  How can we maintain those lofty expectations when we have leaders today consumed by greed, corruption, and dishonesty?  How can the younger generations such as Viswanathan be expected to learn from today's leaders?

Swanson was wrong in plagiarizing material for his pamphlet.  Viswanathan was wrong also in her actions of plagiarizing other authors.  Both failed to be ethical in their actions.

Lessons for leaders:  leadership is a trust and responsibility that should hold us to a higher standard.  As leaders, let us lead by example in our personal and professional lives.  No more excuses--bring back personal responsibility.  Let's live and work with ethics as a core value of all we do.

We need today leaders who live and breath ethics in all they do.  Viswanathan's generation needs to see those leaders lead by example in order to achieve our dream of a better tomorrow.

Jaime

As security executives, we talk about "security: a business enabler".  But what does that really mean?  Does security management by itself enable a business to be more productive or profitable?  The answer is no.   Security management cannot by itself provide the tools, efficiencies, and resources to enable any organization to be more productive or profitable. 

Security management can be a useful ally in helping organizations become more productive and profitable only when integrated and carefully planned alongside with other organizational initiatives.  Some of those vital integration points for security management include:  corporate governance, privacy management, regulatory compliance, financial planning, and business risk management.  When security management becomes an integral part of these touch point areas within an organization, the organization is on a better path to achieving the inherent goals of a strong security management program that helps the organization become more successful.

Jaime

In 2006 there have been a few trends and issues related to security and privacy that are noteworthy.  Here is my short list of security trends and issues that will continue to gain momentum and visibility throughout the rest of the year.

1. Phishing attacks (aka. business identity theft)--phishing is accomplished sending emails to entice consumers to provide personal information to a website pretending to be a legitimate business.  Examples include fraudulent phishing emails that entice bank customers to "log in" and verify their information.  Unsuspecting consumers see the email and the false website which may look 100% exactly like the website for their bank and provide their personal and financial information.  The cyber thieves then capture the customers user-name, password, account information, etc. and proceed to victimize the customer by stealing their information and assets.
2. Insider threats--companies and organizations of all sizes are waking up to the reality that the biggest threats in the future may come from trusted internal sources, namely employees.  As companies are off-shoring certain functions including  internal software development, off-shore call centers for billing and customer services, etc.  there are additional risks which are often overlooked.  Off-shore facilities and staff are not routinely checked for potential information security leaks.  Also the issue of foreign laws, rules, and regulations related to the protection of consumer personal and financial data privacy are not carefully considered by most organizations today.  Companies and organizations will be forced in the coming years to add additional measures of security that must include policies, education, and enforcement to deal with the growing potential for insider threats.
3. Security and Privacy Legislation--News stories of breaches of consumer personal, medical, and financial privacy during 2005 and early 2006 caught the attention of legislative bodies in the United States.  Although several states are now crafting consumer privacy laws to deal with this problem, it is foreseeable that in the short term the United States Congress will probably have to deal with this issue at a federal level. Although Sarbanes-Oxley, HIPAA, GLBA, etc.  will continue to impact companies and organizations across the United States, it is also possible that Congress will continue to create stronger legislation to enhance and further protect the rights of consumers and businesses given the gaps and shortcomings of existing legislation and the increase in sophistication of security and privacy breaches.

Comments and questions are always welcome! 

Jaime

The IT Governance Institute (ITGI - www.itgi.org) has published a short paper on information security governance for top management titled, "Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition".

The PDF document can be downloaded by clicking here.

ITGI provides the following summary of the document:

"With increased networking and a growing realization of how valuable information assets are, information security is recognized as one of the most important issues to address for all IT users. However, the subject of IT security is often presented in high-tech terms, and managers find it difficult to understand the issues and feel confident about how their organizations are managing security-related risks. Information Security Governance helps overcome these barriers by explaining information security in business terms and comes complete with tools and techniques to help managers uncover security-related problems."

Jaime

Regulatory compliance should be a process not an end goal for businesses.  Today, ever increasing government and industry groups are forcing senior executives and companies to give serious consideration to regulatory compliance as a core business process. 

I recently came across an excellent executive resource from the IT Compliance Institute (ITCi).  ITCi's Unified Compliance Project (UCP). 

Included in the UCP website (http://www.itcinstitute.com/ucp) is a "Custom IT Impact Matrix" tool that provides a customized report of specific regulatory requirements and their implications for IT controls within any organization.

For more details visit: http://www.itcinstitute.com/ucp

If you would like to share more executive resources with readers of this blog, please submit your comments and suggestions.  Thanks in advance for your collaboration.

Jaime

Top management bound by the fiduciary responsibility for protecting vital business information is facing increasing sophistication of this challenge in today's world.   How can business leaders meet this challenge?  There is no single answer that can help business leaders address the breadth and complexity of protecting vital business information.  However, I'd like to share two important areas of personal influence that executives can learn from to address this challenge.

Business Focus.
Protecting vital business information is not only a technology issue.   Protecting vital business information lies in the acceptance that it is a business issue first and foremost.  Technology can assist in this endeavor but cannot guarantee absolute protection.   Executives who are successful and effective in this regard, understand the value and importance of a strong business focus that leverages people, processes, and technology.  Invest in your people, constantly review and improve your processes, and wisely manage your technology resources to achieve greater returns in protecting vital business information.

Accountability.
In the wake of today's business environment, executives should lead by example and be accountable for their actions.  Creating a culture of personal accountability at all levels of your organization will assist you to do what is ethical and correct for protecting vital business information.  Accountability earns the loyalty, admiration, and respect of your employees, business partners, and clients.

Warm regards,

Jaime Chanaga, CISSP, CISA