By this time you all know that Home Depot was hacked.  Many of you may be asking why I didn’t cover this in an earlier post.  The primary reason is that I didn’t want to add a bunch of fuel to a fire that was already burning hot.  I’ve read some posts from people hitting Home Depot for not giving any real details and not confirming there was a breach right away.  How could they leave us hanging?

Read more: Home Depot Approached Their Data Breach Correctly

“Time is of the essence.” “Time is money.” Yadda, yadda, yadda.  You’ve heard it all before. Every business leader is pressed for time in one way or another. That’s why today’s post is quick and simple. Here are three questions every CIO should be asking their CISO, VP, Director or “Whatever” of Technology:

  1. Can you prove to me that we’ve not had a system breach in the past “x” months and will your evidence stand up to an independent 3rd party review? 
    The idea here is to make people uncomfortable.  You don’t want to be placated.  You don’t want to hear someone touting their belief in the team.  You want concrete evidence.  Make them show you months of event logs that have been reviewed for anomalies or malicious activity.  Ask for something, anything.  Just don’t settle for “We believe our systems are safe”.   Even if you have no plans to get an independent review, ask them to be able to support their conclusions.  As Ronald Reagan said, “Trust, but verify”.

    Read more: Three Information Security Questions Every CIO Should Ask Their Leadership Team

In case you’ve been asleep at the wheel, everybody thinks they need drones these days: Amazon, your local police department, the pizza delivery guy, the neighbor kid, his dad, everybody.  All of these drones will be equipped with surveillance technology such as cameras, microphones, GPS and RFID.

If you think red light and speed cameras are bad, you’re in for a treat.  At least with the speed cameras, you can avoid that section of town if you really want to.  Once these drones are in the air, privacy as we know it will die.  The FAA needs to step up and address this quickly which unfortunately is not likely to happen.  In the meantime, local jurisdictions will attempt to implement their own enforcement rules. That might even be worse than the feds.

Read more: Drones...The End of Privacy as We Know It

Brian Krebs reported earlier this week about a suspected breach of credit and debit cards at Goodwill Industries stores in at least 21 states.  So when the 2013 Verizon DBIR reported a steep decline in breaches in the retail sector, I guess that was an incentive for the hackers.  Goodwill is just the latest major retail chain to be hacked.

If you’re about to graduate high school or are early in your college years and looking for a career field with long term grow and job security, maybe you should consider any one of the fields within information security.  I think there are a lot companies that will be looking for help in the near future.

A recent study by Osterman Research for Centrify concluded that 15% of respondents said their responsibility to protect employer data on their mobile device was “minimal to none”. 

If this is shocking to you it shouldn’t be.  The report also says users only think about security a few times per year.  I’ve said in the past that many organizations have rushed into BYOD programs.  Mobile devices are taking over our computing environment.  Mobile security is increasingly important.  So is securing the data instead of the device.

BYOD programs have a significant impact on how an organization complies with HIPAA, PCI, FISMA and other regulatory environments.  Has your organization implemented a mobile BYOD program?  Do you have a strong mobile security program in place?  What would you do if 15% of your employees said they didn’t care about the security of your cash?  Would that worry you?

According to the 2014 Verizon Data Breach Investigation Report, 35% of all breaches reported last year involved hacked web applications.  That’s up 14% from the past three year period.  Web applications are the biggest target for a security breach.  They are constantly being updated.  A security breach is more likely to occur in a web application because of the complexity of the system and the short development cycles we’re using today.  Penetration testing is crucial for ensuring your web application is not hacked.  Any major release and any release that modifies session handling, encryption, authentication or similar functions should have penetration testing completed before moving to production.  The stats don’t lie.  Web applications are being hacked resulting in security breaches costing organizations millions every year.

The 2014 Verizon Data Breach Investigation Report shows that espionage is the fastest growing motive for cybercrime.  Financial motives have declined over the same period at about the same rate.  I’d argue that espionage is ultimately linked to financial motives.  Either corporate or government espionage is about having political, military or trade power.  Money is inextricably linked to all three.  Hacker groups are being formed by governments and organized cybercrime syndicates across the globe.  They are well funded and have clear targets.  Information security is going to become the next “theater” in which we fight wars.  Are you ready?

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724