From the Spring 2018 Issue

Better than (Project) Zero: A Cybersecurity ROI Roadmap

Author(s):

Chris Castaldo, Senior Director of Information Security, 2U

castaldo feature image

Since 2014 the mission of Google’s Project Zero has been to make the Internet a more secure place through the discovery and responsible publishing of vulnerabilities. While Google works with vendors to ensure a patch is available before details of a vulnerability are released, nothing is actually made more secure until that patch is applied … Read more

From the Spring 2018 Issue

A Disciplined Approach to Cybersecurity Program Management

Author(s):

Brian Hubbard, Director of Commercial Strategic Business and Cybersecurity Solutions, Edwards Performance Solutions

Brian Hubbard feature image

In many organizations, the Chief Information Security Officer (CISO) and their team understands the need for a strategic approach to managing an enterprise information security program. However, continual tactical “fire drills” rarely allow time to be dedicated to strategic objectives. Given typical CISO resource constraints, efficient and effective operations are critical to success. Running a … Read more

From the Winter 2018 Issue

Next Generation Security Assessment Methodology

Author(s):

Rick Mellendick, Chief Security Officer, PIAchievers

Next Generation Security

Why Organizations Need to Be More Than Just Compliant Enterprises across the industry-government-academia spectrum are struggling to balance the goals of improved security and regulatory compliance. Unfortunately, the two are not always compatible or aligned. Many organizations lack board level guidance when it comes to managing cybersecurity risk. As a result, many organizations expend resources … Read more

From the Winter 2018 Issue

Implementing Automated Cyber Defense

Author(s):

Scott Jasper, CAPT, USN (ret), Faculty, Naval Postgraduate School

Automated Cyber Defense image

Today, massive numbers of uncorrelated and unprioritized alerts overwhelm network security operations. Staff are unable to respond to breaches anywhere near real-time. Legacy architectures layer “best of breed” components for firewall, intrusion protection, web content filtering and antivirus protection, each of which generates a unique set of alerts. Additional devices only contribute to an ever … Read more

From the Fall 2017 Issue

BUILDING FOR SUCCESS: The Importance of Cloud Security

Author(s):

Vijaya Varma, Co-Founder and CTO, AxiomIO, Inc.

As organizations adopt Cloud technologies and capabilities, it’s important to discuss how secure (or insecure!) Cloud really is. Security concerns with respect to Cloud computing are similar to those of a traditional information technology (IT) setup. Even though Cloud providers such as Amazon Web Services (AWS), Microsoft Azure and the Google Cloud Platform (GCP) make … Read more

From the Fall 2017 Issue

Security by Design

Author(s):

Jeff Spivey, CRISC, CPP, PSP, CEO, Security Risk Management, Inc.

A holistic “life cycle” perspective is to prioritize security risk levels of security for the proper governance and management of all security. The future is already here — It’s just not evenly distributed yet.  William Gibson, Neuromancer The complexity of protecting our personal and organizational value is increasingly difficult to navigate.  Similarly, threats come from … Read more

From the Fall 2017 Issue

Legacy Modernization as a Cybersecurity Enabler

Author(s):

Henry J. Sienkiewicz, Author,

Dependencies on information technology began logically enough. In a technology-driven and dependent marketplace, enterprises seek to leverage information technology to improve their market position. Industries adopted COBOL-based software and mainframe computers for statistical reporting, accounting, claims, policy administration, billing and various information-processing activities.1 Many mainframe and legacy applications are older and require significant upgrades in … Read more

From the Fall 2017 Issue

16 Tons of Technical Debt: An Operational Perspective on Security Automation

Author(s):

J.C. Herz, COO, Ion Channel

In September of 2017, Equifax announced that extremely sensitive data, including social security numbers and driver’s license information, had been exfiltrated by hackers via the Apache Struts framework used to develop the credit rater’s website – a framework that powers thousands of large enterprises’ websites as well. Given the scope of the damage enabled by … Read more