June 17, 2016

Hiring Your First CISO: A How-to

A track record and trusted network of industry relationships are keys to successful CISO searches. The hiring company should be confident in the recruiting firm’s knowledge of market data on compensation, its ability to understand their culture and its network to provide a diverse slate of qualified candidates. With extreme demand for well-qualified candidates, an inverse relationship exists between the length of the interview process and likelihood of acceptance. Organizations should streamline the process by ensuring interviewers understand the CISO role and responsibilities, and remember to sell the benefits of joining the team. Our firm sets up a launch call with the hiring manager and key stakeholders, provides a slate of spot-on candidates within the first 15 days, has biweekly update calls and partners to find the best possible candidate in a timely manner.

Bring on the blockchain future

Crucial functions — such as payments and trading — remain concentrated in large, undercapitalized banks or other central hubs; despite regulators’ efforts, losses at those institutions could still have economywide repercussions. To make matters worse, the authorities don’t yet have a clear real-time picture of what’s happening in financial markets or where risk is concentrated. Blockchain technology is capable of addressing both issues. Finance is all about trust: Essentially, financial institutions evolved to enable transactions with strangers. Centralized intermediaries of various kinds solved that problem, keeping track of who owns what and who owes whom. But centralized intermediaries also create points of systemic vulnerability. Regulators continue to wrestle with this underlying — and hitherto unavoidable — dilemma.

Networking the Cloud for IoT – Pt 3 Cloud Network Systems Engineering

Using this model, security issues must be addressed through a multi-layered approach. From a system engineering point of view, users must be forced to implement complex passwords and Public Key Infrastructure (PKI) certifications must be a minimum requirement for operating across the IoT network. The article, “How to protect Wearable Devices Against Cyberattacks,” in IEEE Roundup online magazine, postulated that, where there are devices with limited functionality, they can be linked to the user’s smartphone, which can act as a conduit for the device’s information, thus securing it from the outside world. Most importantly of all, though, is ensuring that the proper amount of Systems Engineering design rigor has been exercised in the development process. This makes defects easier to find and much less costly than a multimillion-dollar security breach.

Data Science of Variable Selection: A Review

The fact is that when confronted with massive numbers of candidate predictors and multiple possible targets or dependent variables, the classic framework neither works, holds nor provides useful guidance – how does anyone develop a finite set of hypotheses with millions of predictors? Numerous recent papers delineate this dilemma from Chattopadhyay and Lipson's brilliant paper Data Smashing: Uncovering Lurking Order in Data (available here) who state, "The key bottleneck is that most data comparison algorithms today rely on a human expert to specify what ‘features’ of the data are relevant for comparison. Here, we propose a new principle for estimating the similarity between the sources of arbitrary data streams, using neither domain knowledge nor learning."

UNIX®: Lowering the Total Cost of Ownership

TCO is greatly reduced because a UNIX certified operating system lowers the acquisition, maintenance and updating costs. The benefits of UNIX mentioned above also hint at reduced administrative, training and operational costs which also reduces the total cost of ownership which also should be consider in evaluating solution cost. IT decision makers should consider how choosing an operating system that is UNIX certified will benefit the TCO profile of their solution(s). This is especially true because making standards a requirement, during acquisition, costs so little yet can have such substantial benefits to TCO, enabling accelerated innovation and demonstrating good IT governance.

Berkholz on how DevOps, automation and orchestration combine for continuous apps delivery

IT is going through this kind of existential crisis of moving from being a cost center to fighting shadow IT, fighting bring your own device (BYOD), trying to figure out how to bring that all into the fold. How they do so is this transition toward IT as a service is the way we think about it. IT becoming more like a service provider in their own right, pulling in all these external services and providing a better experience in house. If you think about shadow IT, for example, you think about developers using a credit card to sign-up for some public cloud or another. That’s all well and good, but wouldn’t it be even nicer if they didn’t have to worry about the billing, the expensing, the payments, and all that stuff, because IT already provided that for them. That’s where things are going, because that’s the IT-as-a-service provider model.

Hack the hackers: Eavesdrop for intel on emerging threats

“Obviously the time between vulnerability recognition and vendor patch release or workaround is valuable for threat actors, but when detailed exploit guides are available in multiple languages, that time delta can be disastrous for businesses,” Gundert says. The OPcache Binary Webshell vulnerability in PHP 7 is another example of attackers jumping ahead of the game. Security firm GoSecure described the new exploit on April 27, and Recorded Future uncovered a tutorial explaining how to use the proof of concept referenced in GoSecure’s blog post on April 30. As GoSecure noted, the vulnerability didn’t universally affect PHP applications. But with the resulting tutorial, attackers could have an easier time finding servers with potentially dangerous configurations that make them vulnerable to the file upload flaw.

Being a great communicator and facilitator is key to CISO role

In this day and age, CISOs need to be good security communicators. So what security professionals should do is try to communicate the threats, the security risks, in a non-threatening way, and also in [terms] that a business or a board member can understand. I would put it as loss of revenue because of application downtime; loss of brand or image because of a breach, because we lost X amount of records. That communication piece is a big part of the CISO role now to make it a part of the business and make it a facilitator. [CISOs need to make it clear that security is not just] something that they need to do because they want to be compliant or they need to do because they don't want to be featured in The Wall Street Journal.

The Evolution of Code Review [Infographic]

Though we love tool-based code reviews, we’ve also seen that these other forms of code review are still the go-to method for a number of organizations. In fact, when we surveyed more than 600 software developers, testers, and IT professionals earlier this year, we found that: 72% of teams are doing ad-hoc, or “over-the-shoulder” code review; 63% are doing tool-based code review; and 53% are doing meeting-based code review. No matter what form of code review your team is involved in, it’s important that your team is regularly doing code reviews. In the below infographic, we’ll take a closer look at the different types of peer reviews and the benefits, as well as downfalls, of each. Find out which code review method is right for your team.

Virtual Panel on (Cloud) Lock-In

It is important to separate out switching out implementations with switching out interfaces. Standard interfaces (even at the conceptual level) reduce the risk. Users can deal with problems without having to rewrite everything. The core concepts around VMs and object stores are well understood enough that the switching cost is low. Conversely, the more unique the system is at the conceptual level the harder it will be to switch. Unfortunately, these unique features often provide enormous value. The nastiest surprises are those systems that appear to be a safe bet but often end up becoming a nightmare in production. Developer focused storage systems are notorious for this. They can be super easy to get started with and provide a great experience at the start. Often times issues with performance, stability and operability will only show up after the application is launched and taking significant traffic.

Quote for the day:

"Every thought you have can be energetically calibrated, along with its impact on your body and your environment." -- @DrWayneWDyer