The New Crisis in Cybersecurity

cyber-security-lock-image

By Mark Egan

There is a new crisis in Cybersecurity.  A recent article highlights the current lack of trained Information Security professionals and ties this lack to the digital revolution and other technology advances, leading to “mega-breaches on an unprecedented scale.” Stealing IP has become a billion dollar business; couple that with the fact that it is also much easier to break into a system than protect it.  All the criminal needs to do is to find one hole in your environment and they can slip in. Why there is a dearth in Cyber Security professionals and what can be done about it I have outlined briefly in a few key points here.

One of the biggest reasons why there are fewer trained security professionals is due to the fact that the Office of the CISO is still a relatively new organization, compared to that of the CIO, which role has been around for significantly longer.  CIO titles started in the 80’s when Information Technology became a critical component of daily business operations. The CISO title is more recent and in 2006 only 43% of large organizations had a CISO. This has changed over the past 10 years and now most larger organization now have a formal security function and overall leader.

However, companies show a trend of being focused on hiring very experienced security staff externally, as opposed to developing and training individuals internally.  It would be more effective to take existing staff and train them, or hire in trained entry level professionals who you can develop.

Going Forward

The solution to Information Security is that companies have to develop their existing staff and then cultivate a mindset where everybody is “mindful” – like a Neighborhood Watch, where everyone is involved in the program. Most attacks still originate from phishing email – someone clicks on an email, and that email comprises that machine. And once they compromise that machine, they move laterally within the environment to elevate to a privileged level of access.  So if you have Neighborhood Watch, everybody is on alert. When they see the suspicious email, they notify someone, and through this behavior you can build and grow and perpetuate a more “security aware” program.

Ultimately security is a people issue. To this effect we created the Merritt College Information Security program as a fully accredited A.S. degree with majors in Applications and Infrastructure Security. The program has been two years in the making and serves the San Francisco Bay Area East Bay School districts, which include students from less advantaged backgrounds. It results from the partnership with the CISE CIO organization, Merritt College, and CIO’s / CISO’s from leading San Francisco Bay Area companies. The program provides trained, entry level security professionals from which an organization can then expand on and develop other existing staff internally.

They are currently for hire; please contact me for more info.

Information Security Training: Merritt College Enters Its Third Year

 

Merritt College logo

Merritt College in Oakland, CA will start its third year of classes this Friday, August 26.

We’re excited to be entering the third year of this program, having graduated our first set of students this past June 2016. The Merritt College Applications and Infrastructure Security program (as a reminder) is a fully accredited A.S. degree with majors in Applications and Infrastructure Security.

This program results from partnership with the CISE CIO Organization, Merritt College, and CIO’s/CISO’s from leading San Francisco Bay Area companies. These groups have given their time and expertise toward building up this program from its inception. Donations from the CISE CIO group now amount to $130K, and with this amount, we have developed the current curriculum and put a new cybersecurity lab in place.

This program and its impact couldn’t be more timely, given that one of the biggest threats to companies is a lack of trained cybersecurity professionals.

You can find an overview of program here.

We are also looking to place our recent first class of June graduates into Information Security roles with leading companies and organizations. Please contact Mark Egan you are interested in hiring our students to improve your Information Security programs.

Improve Your Information Security Program and Give Back to the Community

Merritt College Cybersecurity Students In Action

We are very excited to announce that Merritt College in Oakland, CA has graduated its first Information Security class. Merritt College serves the San Francisco Bay Area Central East Bay School districts, which include students from less advantaged backgrounds. The Merritt College Information Security program is a fully accredited A.S. degree with majors in Applications and Infrastructure Security. This program has been two years in the making and results from the partnership with the CISE CIO organization, Merritt College, and CIO’s/CISO’s from leading San Francisco Bay Area companies.  Please find a fuller summary of the program below:

  • Courses are designed and delivered by security thought leaders from leading companies including Symantec, Wells Fargo Bank, and McAfee
  • Security program includes 30 credits of Information Security classes, hands on labs, and internships with Bay Area companies
  • Class projects include forensics of a pharmaceutical organization that suffered a security breach, securing systems on Amazon Web Services, and developing Information Security strategies

We are now looking to place these graduates into Information Security roles with leading companies and organizations. Contact Mark Egan if you are interested in hiring our students to improve your Information Security programs.

 

Introducing the New Merritt College Applications and Infrastructure Security Program

Merritt College cyber-reception
Merritt College Information Security Students Place 2nd in 2015 National Cyber League Competition

The frequency and virility of cyber security attacks, and the damage they cause to a number of industries, with millions of dollars lost, and with threats to personal safety, is something that bombards us in the news weekly.  Security is top of mind today; everybody is worried about security. I’ve made it part of my professional and personal mission to help companies protect their critical assets, and also teach information security best practices.

This past year I have spent a lot of time building up a new program to train the next generation of cyber security professionals. Working with Merritt College in Oakland, CA, we have designed a two-year associate’s degree in Information Security that includes a fully accredited degree.

The program covers all aspects of security, and students can major in application security or infrastructure security. Our first class of students will graduate this May. And the students from this class also recently placed 2nd in the 2015 National Cyber League Competition, beating out 125 other colleges and universities across the country, applying what they’ve learned in the classroom and internships with local companies.

We are looking for jobs for these students, and if you’re looking for security staff, we are here to help. Email me to connect with these students to learn more.

Mark Egan

follow me on Twitter: @markeegan

Our Take on the Top Tech Trends

Later this week, the Churchill Club will hold its 17th Annual Top 10 Tech Trends debate. This kind of debate is just our thing, so the CIOs and CTOs here at StrataFusion are putting forward trends we expect to see. We’re looking forward to hearing whether the Churchill Club’s guests agree.

Internet of Things (IoT): Trends we expect include the incorporation of Radar into IoT and the ubiquity of Location-Aware Technology. Applications that rely on data and analytics from sentient machines: smart machines with artificial intelligence that are location-aware will be everywhere. Service businesses based on this technology will thrive.

Information Security: There is no denying the urgency behind increasing information security. The industry will strike a balance between security and ease-of-use by accepting “second form of authentication/tokens” as standard business procedure. Today we err on the side of ease-of-use but continued data losses will force a behavior change.

Commerce: We expect to see significant advances in commerce and banking innovations that address developments in the sharing economy, mobile commerce, micro-banking and micro-outsourcing.

Income Inequality: Technology has been a significant driver in the acceleration of income inequality, and the potential risks that could pose to economies and social structures around the world. We are interested to see how technology can become a driver in reversing this trend.

Home/Personal Tech: This space is still a mess. The Internet, digital reproduction and storage technology, new distribution models and standards have all had a hand in throwing this industry into turmoil. We believe we’ll see tech companies find a way to streamline this experience for the everyday consumer while protecting the rights of content creators.

Personal/SMB Payments: The emergence of new payment instruments such as Bitcoin and new payment methods such as Apple Pay could disrupt large parts of the payment and money transfer markets.

We also see an increased role for robotics (including drones) and wearables (beyond your wristwatch). Battery technology is on our list to watch, given we have been on the cusp of a breakthrough in battery technology for decades now.

More BIG Data

Not Just a Buzz Word for CIOs

Doug Harr

Big Data 2

 

What do CIOs do with Big/Machine Data?

In 2010, most of us were deleting machine log data from our systems as soon as it was clear that processes had survived the night – very frequently this data was being tossed in the trash daily. Now a short four years later, we’ve all learned that there is information in that data, and that by saving it and using search and analytics to mine it, an amazing number of things are possible.

splunk-logo

“splunking”

As CIO at Splunk (a rapidly growing company that makes a platform aiming to make machine data available, usable and valuable for everyone) the first example I saw of the use of the the solution within company itself was related to their go-to-market model. Splunk had and has a “free-mium” model where customer and prospects can download Splunk software to their PC/Mac or host, then run machine data into it to search or analyze the data. We were “splunking” those downloads – for example taking the Apache web log from the Splunk web site, contact feeds from our CRM system, Salesforce, for a lookup table, and communications back to our site which come back from Splunk itself once up and running. With just these three types of machine data records, one being a “lookup” table to enrich the data, we were able to produce an amazing array of analytics and reporting used by IT, product management, marketing, and the others in measuring the download experience, uptime, and capacity, but also the actual sales pipeline, and understanding the company’s prospects.

Downloaded Experiences – Visualized

Downloads Experience

Stats

Since IT was responsible for making sure that the free Splunk software download function was operating properly, we were interested in the download experience – things like average minutes per download, and how that differed by platform.

 

 

 

We also liked seeing activity via geo-mapping, and other dashboard visualizations, as shown below:

Downloads by CRM Region

CRM Map 2

 

 

 

 

 

 

Real-time Data – Driving Business Excellence

Over the years the use of Splunk internally was expanded to address needs for both IT and business constituents providing customer insight, protecting against intrusion and malware, enhancing operations effectiveness, and other uses, falling into these categories:

  • Monitor and manage infrastructure – capacity, uptime, project delivery
  • Deliver application management – health of business apps, usage statistics, even some missing reporting
  • Provide analytics on security posture – identify and eradicate malware, APT’s (advanced persistent threats), and other threats
  • Provide business analytics – most of these derived by departments – people in sales, marketing, and engineering analyzing business trends, product delivery, customer support and more
  • Internet of Things – we even “splunked” our headquarters building to review temperature and C02 levels

These examples roughly match the broad spectrum of what can be done when ingesting and analyzing machine data in real time. Stay tuned for more examples in posts to come. Now with StrataFusion, I will be consulting and teaching more on these topics!

 

 

Trusted Information Security

How Safe is YOUR Information?

3 Simple Tips to Improve Your Information Security Program

By Mark Egan

http://www.dreamstime.com/royalty-free-stock-photos-concept-image-security-vulnerability-information-leaks-unlocked-padlock-personal-image40911618

  1. Know who can access your systems
  2. Keep your hardware and software current with security updates
  3. Monitor your network for suspicious activities

Every day we hear about information security issues and the associated business impacts.  We are talking billions of dollars from data breaches, stolen valuable IP, and compromised sensitive information.  While legislators are busy “thinking” about how they will “help” protect us, I recommend that you focus on three areas that will greatly improve your information security program to minimize negative business impacts.

First and foremost, do you know who can access your systems?

This may seem like a simple question, however, our experience is that organizations do not do a very good job of managing personnel and systems access, especially non-employees. Make sure that only authorized personnel can access your systems and have an ongoing process to maintain personnel additions and deletions.  Recently, a major retailer experienced a security breach of 40M credit/debit cards that was a result of credentials being compromised that were provided to their air conditioning vendor.

Second, are you keeping your hardware and software current with the latest security updates?

These are generally provided free of charge by the vendors. Establish an ongoing process to ensure that occur on a regular basis to mitigate risks.  Take for example the “Heartbleed” bug that exposed about 17%, or half a million, certified secure web servers to encryption vulnerability and information theft. SANS Institute, a cooperative research and education organization dedicated to information security solutions, provides a wealth of free information on best practices for patching hardware and software (www.sans.org).

SANS security-training-certification-research-1

Finally, do you monitor what is going on within your network?

You would be surprised at what we found working with clients just starting to implement their security monitoring systems; everything from employees accessing inappropriate web sites to hackers that steal valuable IP and operate undetected.  You might consider having a third party provide this service for you, if you do not have the in-house capability.

StrataFusion has worked with several public and private organizations over the past year and we have found these simple security measures have not been addressed within their organizations putting them at risk.  The simple tips presented are not expensive to implement and provide considerable improvements to your information security program.

Start protecting your information today – learn more.

StrataFusion Security Practice

Read more.

The Executive Guide to Information Security

Mark Egan’s Guide will walk you through the process.

The Executive Guide to Information Security: Threats, Challenges, and Solutions