Posts Tagged: SANS Institute


18
Dec 18

A Chief Security Concern for Executive Teams

Virtually all companies like to say they take their customers’ privacy and security seriously, make it a top priority, blah blah. But you’d be forgiven if you couldn’t tell this by studying the executive leadership page of each company’s Web site. That’s because very few of the world’s biggest companies list any security executives in their highest ranks. Even among top tech firms, less than half list a chief technology officer (CTO). This post explores some reasons why this is the case, and why it can’t change fast enough.

KrebsOnSecurity reviewed the Web sites for the global top 100 companies by market value, and found just five percent of top 100 firms listed a chief information security officer (CISO) or chief security officer (CSO). Only a little more than a third even listed a CTO in their executive leadership pages.

The reality among high-tech firms that make up the top 50 companies in the NASDAQ market was even more striking: Fewer than half listed a CTO in their executive ranks, and I could find only three that featured a person with a security title.

Nobody’s saying these companies don’t have CISOs and/or CSOs and CTOs in their employ. A review of LinkedIn suggests that most of them in fact do have people in those roles (although I suspect the few that aren’t present or easily findable on LinkedIn have made a personal and/or professional decision not to be listed as such).

But it is interesting to note which roles companies consider worthwhile publishing in their executive leadership pages. For example, 73 percent of the top 100 companies listed a chief of human resources (or “chief people officer”), and about one-third included a chief marketing officer.

Not that these roles are somehow more or less important than that of a CISO/CSO within the organization. Nor is the average pay hugely different among all three roles. Yet, considering how much marketing (think consumer/customer data) and human resources (think employee personal/financial data) are impacted by your average data breach, it’s somewhat remarkable that more companies don’t list their chief security personnel among their top ranks.

Julie Conroy, research director at the market analyst firm Aite Group, said she initially hypothesized that companies with a regulatory mandate for strong cybersecurity controls (e.g. banks) would have this role in their executive leadership team.

“But a quick look at Bank of America and Chase’s websites proved me wrong,” Conroy said. “It looks like the CISO in those firms is one layer down, reporting to the executive leadership.”

Conroy says this dynamic reflects the fact that revenue centers like human capital and the ability to drum up new business are still prioritized and valued by businesses more than cost centers — including loss prevention and cybersecurity.

“Marketing and digital strategy roles drive top line revenue for firms—the latter is particularly important in retail and banking businesses as so much commerce moves online,” Conroy said. “While you and I know that cybersecurity and loss prevention are critical functions for all types of businesses, I don’t think that reality is reflected in the organizational structure of many businesses still. A common theme in my discussions with executives in cost center roles is how difficult it is for them to get budget to fund the tech they need for loss prevention initiatives.” Continue reading →


4
Mar 13

KrebsOnSecurity Wins Awards

I recently returned from San Francisco, which last week hosted the annual RSA Security conference. I had the pleasure of moderating a panel discussion on Raising the Costs of Compromise with some very smart guys, and also shared a stage with several security authors who were recognized for their contributions to infosec media.

Bruce Schneier, Jack Daniel & Krebs. Image: Alan Shimel.

Bruce Schneier, Jack Daniel & Krebs. Image: Alan Shimel.

Krebsonsecurity.com was honored with the “Blog That Best Represents the Industry,” award at the RSA Security Blogger Meetup. This was the third year in a row that judges bestowed that honor on this blog. Krebsonsecurity.com also won the award for “Most Educational Security Blog.”

Paul Dotcom won for “Best Security Podcast”; J4VV4D’s Blog earned the “Most Entertaining Security Blog” award; Sophos’s Naked Security Blog took home the “Best Corporate Security Blog” prize; and the “Single Best Blog Post or Podcast of the Year” went to Forbes’ Andy Greenberg, for Meet the Hackers Who Sell Spies the Tools to Crack Your PC (And Get Paid Six-Figure Fees). Finally, security blogger Jack Daniel was the latest greybeard inducted into the Security Bloggers Hall of Fame (Bruce Schneier and I shared that honor last year, which is why we’re both pictured on stage flanking Jack in this shot from last week).

Yours truly also was named one of 10 winners of the SANS Institute‘s “Top Cyber Security Journalist” award. I am truly honored for the recognition, and want to thank all the loyal readers of this blog for their constant encouragement and support.


8
Nov 10

Keeping an Eye on the SpyEye Trojan

Last month, I published evidence suggesting that future development of the ZeuS banking Trojan was being merged with that of the up-and-coming SpyEye Trojan. Since then, a flood of new research has been published about SpyEye, including a new Web site that helps track the location of SpyEye control networks worldwide.

Roman Hüssy, the curator of Zeustracker — a site that has spotlighted ZeuS activity around the globe since early 2009 — late last week launched SpyEye Tracker, a sister service designed to help Internet service providers keep tabs on miscreants using SpyEye (take care with the IP address links listed at this service, because they can lead to live, malicious files).

Hüssy said he’s not convinced that the SpyEye crimeware kit will usurp the mighty ZeuS. “Why should they give up something which works and pay for a new tool?” he said in an online chat with KrebsOnSecurity.com. Instead, Hüssy said he’s launching the new tracking service to help prevent that shift.

Continue reading →


24
Mar 10

Cybersecurity Policy Roundup

There are several cybersecurity policy issues on Capitol Hill that are worth keeping an eye on. Lawmakers in the Senate have introduced a measure that would call for trade restrictions against countries identified as hacker havens. Another proposal is meeting resistance from academics who worry about the effect of the bill’s mandatory certification programs for cyber security professionals.

As reported by The Hill newspaper, Senators Orrin Hatch (R-Utah) and Kirsten Gillibrand (D-NY) have introduced The International Cybercrime Reporting and Cooperation Act, a bill that would penalize foreign countries that fail to crack down on cyber criminals operating within their borders.

Continue reading →


4
Mar 10

Krebsonsecurity Author Twice Honored

There is perhaps no greater compliment than to have your most esteemed peers recommend your work.  I am now blogging from the RSA Conference in San Francisco, and over the past two days krebsonsecurity.com has received two peer recognition awards, one from the SANS Institute – among the nation’s top security research and training groups – and another from the Security Bloggers Network, an organization that has sought to recognize blogs that provide valuable content on computer security issues.

The SANS Institute polled 75 cybersecurity journalists and asked them to rank the top peers in their field. True to form, I showed up late to the awards ceremony on Tuesday, and Alan Paller, director of research for SANS, called me up on stage and said I’d received twice as many votes as the next guy in the contest, Robert McMillan, a reporter whose work is almost certainly the most widely syndicated and quoted of virtually anyone in this industry. Likewise, I am proud to have shared this honor with reporters whose work I recommend and admire, including USA Today’s Byron Acohido, Wired.com’s Kim Zetter, as well as Dan Goodin from The Register.

In related news, the delegates who were party to the Security Bloggers Awards at RSA this year picked krebsonsecurity.com as the top “non-technical security blog.” Somehow, I managed to show up late for this as well. Again, it was wonderful to have been nominated alongside security bloggers such as Taosecurity’s Richard Bejtlich, and security curmudgeon-in-chief Bruce Schneier.