Prevendra: RSA Conference
[text_output]

Security Thought Leadership by Christopher Burgess

[/text_output]

[text_output]

Effective Database Cloud Security: The Holy Grail of Every Company

by Christopher Burgess on May 22, 2015

Enterprises rely on metrics to track where they are and where they’re heading. Databases have three: availability, accessibility, security. The latter—securing data at rest and in motion while users engage with the data—is still a challenge for many organizations. Database cloud security is still a relatively new concept, and isn’t always easy to grasp. It was already complex for many C-suite…


Network Security: Does Your Network Resemble a Sieve?

by Christopher Burgess on January 29, 2015

The new year is on the here and you’re putting together the goals and objectives for your network security team. The number of data breaches during the past year have finally caught the attention of your company’s board of directors and executive decision makers. Resources have always been tight, but this year there is an allocation to secure the company’s networks. It would appear that the years…


Customer Data: The Crown Jewels

by Christopher Burgess on January 9, 2015

Do you know where your company’s crown jewels are? Comparing customer data to the crown jewels is obviously an appropriate analogy if you consider the history of the jewels. The crown jewels represent the wealth of the monarchy, and in times gone by, a measure of fiscal reserve. England kept its Crown Jewels in Westminster Abbey until the early fourteenth century, and then were were moved to the…


Today’s Challenge: Database Security in the Cloud

by Christopher Burgess on December 19, 2014

There is more to loud data security than just data security in the cloud. The core product offerings for cloud data storage services (or Cloud Sync and Share as they my be called) include storage, sync, share, view, collaborate, Web and mobile support, and APIs, said Rich Mogull of Securosis. “Without a solid security baseline it really doesn’t matter what else the service officers,” Mogull wrote. …


What’s in Your Privacy Policy?

by Christopher Burgess on December 4, 2014

The days of asking “Why do I need an entire policy about privacy?” are long gone. Users regularly evaluate the trade-off between how their information is being used and the cost to personal privacy. Every company needs to be upfront about how user data is being used, shared, and stored. What Does a Privacy Policy Look Like? A quick survey of well-known companies and their respective privacy…


Which Is It: Privacy vs. Security, or Privacy and Security?

by Christopher Burgess on November 21, 2014

The age-old question: is it “privacy vs. security” or “privacy and security”? This year, we’ve seen data breach after data breach affecting companies of all sizes and across all industries. We’ve also seen victims grapple with privacy headaches in the aftermath. It would seem, then, that security and privacy are intertwined. But when considering the users and how they interact with company data, …


Critical Infrastructure Security Is Key to Homeland Security

by Christopher Burgess on November 10, 2014

The US Department of Homeland Security (DHS) is the model that most often comes to mind when broaching the subject of national security. The DHS takes critical role in the protection of its infrastructure—electric, water, gas, transport, etc. The DHS, via the US-CERT (Cyber Emergency Response Team), produces alerts, advisories, and reports that not only keep government clientele well informed, but…


Threats and Risk Management: Protect Your IP From Computer Hacking

by Christopher Burgess on October 10, 2014

There isn’t a company in existence that doesn’t have trade secrets and intellectual property worth protecting. The threats may come from computer hacking or from careless end users not paying attention to processes and procedures. One does not exclude the other. Poor cyber-hygiene makes the likelihood of systems and device compromises a real possibility. Tim Mather of Cadence Design Systems…


Cybersecurity Requires Qualified Personnel

by Christopher Burgess on September 25, 2014

The community of cybersecurity professionals is an energetic, creative, and highly sought-after one. It’s also incredibly small, with hiring demands outpacing available supply of professionals. Ask your chief information security officer, chief information officer, or chief security officer if they have all the information security personnel they want, and the answer will be almost always be a…


Data Protects Patient Privacy

by Christopher Burgess on August 26, 2014

Who wants his or her medical information shared beyond the healthcare professionals who need to know? It’s common sense that when it comes to medical privacy, no one wants to share his information. For the recent 2014 EMC Privacy Index,respondents from different countries were asked to rate their willingness to trade privacy for convenience on a scale from 0 to 100 (100 being the most willing and 0…


Vulnerability Management Helps Law Enforcement Investigate Cybercrime

by Christopher Burgess on July 30, 2014

Have we had a day in recent memory when cybercrime was not part of the global news cycle? According to a newly released report from RSA, over 50 percent of phishing attacks in March 2014 targeted brands located in the United States, United Kingdom, India, Australia, and Canada; an April 2014 RSA report reviewing 2013 data noted phishing caused $5.9 billion in losses to global organizations that…


Mobile Payments and Devices Under Attack

by Christopher Burgess on July 21, 2014

A number of annual security reports released in the first half of 2014 address the threat to mobile devices and capabilities, including mobile payments and banking. If you are an Android user, you will find it interesting these reports estimated 98 to 99 percent of all mobile malware created in 2013 targeted Android devices (see, for example, the Cisco 2014 Annual Security Report and the Kaspersky…


Intellectual Property at Risk

by Christopher Burgess on June 23, 2014

Walk about your office and ask your employees, “Are you appropriately protecting the company’s intellectual property (IP)?” Count how many responses resemble, “Oh, I don’t have access to any IP, I work in XYZ department, not R&D.” Such answers cause cringes at every level, as it demonstrates multiple points of failure: failure to enlighten the workforce that IP involves so much more than just R&D…


Next-Gen Malware: Destructive Devices

by Christopher Burgess on June 11, 2014

The word malware (malicious or malevolent software) has permeated our lexicon, especially for those in the security world. A cyber-criminal’s intent has been either to utilize your resources in their criminal endeavors (i.e., put their malware on your system and launch from within your hosted spaces) or to extract information from your entity that could be monetized quickly and effectively. At the…


Losing Faith with Retail POS?

by Christopher Burgess on May 28, 2014

The technology section of every newspaper, magazine or online entity lately is describing how point of sale (POS), and the use of your credit cards is a bit like playing Russian roulette with the retail POS terminals — are they or are they not compromised? The recent batch of retail breaches of payment card industry (PCI) data began with Target, then Neiman Marcus, Michaels, and a bevy of…


Breaches: When You’re Caught With Your Britches Down

by Christopher Burgess on May 19, 2014

Head over to the search engine of your choice, put in the keywords “data breach,” and take a look at the screen. The very first thing you’ll encounter is the new cottage industry that has evolved around rectifying the residual fallout that accompanies many breach events. You’ll discover that there is no shortage of paid ads offering various solutions. Then you’ll see the multitudes of vendors…


Greatly Reduce Data Theft by Knowing the Who and Where of Your Data

by Christopher Burgess on May 9, 2014

The universal constant of every business, regardless of size or industry, is that it has important data, and that data may be the target for theft. What should be the second constant is knowledge of where the data is located. Once you know its location, you can sort out who has access. This sounds simple, yet so many companies are unable to say with certainty where their data is, who has access…


When Intellectual Property Goes Out the Front Door

by Christopher Burgess on May 1, 2014

According to a 2012 survey by the Japanese Ministry of Economy, Trade, and Industry (METI) referenced in The Asahi Shimbun, it was revealed that of the 3,000 Japanese companies polled, 13.5 percent have had their intellectual property (IP) leaked or have suspected a leak over the past five years. The Asahi Shimbun goes on to describe how IP is being stolen by a variety of entities, both foreign and…


CISOs, Business Security, and the Business of Security

by Christopher Burgess on April 3, 2014

So you want to be a CISO, really? Business security, or the business of security, has evolved and is evolving, according to Todd Fitzgerald of Grant Thornton International, who shared his thoughts in his RSA Conference 2014 session, “So Why on Earth Would You WANT to Be a CISO?” Fitzgerald captured the challenge facing all who are thinking of moving into the CISO career track when he shared a…


RFID: Connecting Users and Devices

by Christopher Burgess on March 13, 2014

Radio-frequency identification (RFID) chips are permeating our life at every level—at work, at home, and on the go. And while there is a important distinction between RFID and near field communications (NFC) chips, the premise is similar. For example, you may carry a dongle which opens your automobile door when it’s within 20 feet of the vehicle. Whereas if you have a credit card from a European…


Data Leakage: The Human End-Around to DLP

by Christopher Burgess on January 28, 2014

The old adages “still water finds its own level” and “moving water finds a path of least resistance” both have applicability when we think of data leakage and employees’ engagement with data loss prevention (DLP) processes, policies, procedures, and software. With still water, data is at rest; with moving water, your data in transit. There are also two types of employees: Those who are trying to…


5 Tips for Handling Compromised Customer Data

by Christopher Burgess on January 21, 2014

Rarely does a week go by when you don’t hear or read of a data breach and the accompanying loss of customer data or client personal identifying information (PII). Having a data breach plan in place that provides an honest, direct, and customer-centric solution will go a long way toward retaining the customers or clients affected. Though no one ever wants these things to happen, data breaches do…


Event Denial: If I Don’t Report It, Did It Really Happen?

by Christopher Burgess on January 7, 2014

“If a tree falls in the forest and no one is there to hear it, does it make a sound?” The technological equivalent of this query within cyber security exists, unfortunately: “If a compromise occurs and no one reports it, did it really happen?” The answer in both instances is, “of course.” Yet the recent survey of 200 security professionals by Opinion Matters for Threat Track reveals that two-th…

[/text_output]

[text_output]

Intellectual Property Theft: The Insider

by Christopher Burgess on May 20, 2015

If you are responsible for protecting your company from the risk of a trusted insider stealing intellectual property, consider packing a lunch because it’s going to be a bit of a journey. Intellectual property (IP) means different things to different people. And far too many believe they don’t have access to the company’s IP, and therefore are not responsible for protecting it. First, …


Inquiring Minds Want to Know: How Do You Implement Business Security?

by Christopher Burgess on January 16, 2015

Business security is not a new concept. Storeowners have alarms, video, and guards to keep the ne’er-do-wells of the world at bay. Corporations that handle money have to worry about embezzlers (does the fact that it is “white-collar crime” mean it is more sanitary as a crime?). And all who handle data must address the business of securing their data. Never Assume The number of data breaches and…


Data Privacy in the Era of Sharing

by Christopher Burgess on January 1, 2015

Information is meant to be obtained, consumed, and, above all, shared. Yet we sit today in a new era of data privacy and transperancy, where consumers want to know how and where their information will be used. It doesn’t matter if the information aggregation happened with their direct participation or if it was collected wholesale. As we collaborate, share, and enable, we must ensure we do so…


Three Reasons Why Employees Chafe at Security Policies

by Christopher Burgess on December 12, 2014

How often have you heard someone say, “We can’t do it that way, because our security policies prohibit . . . ” Perhaps they were discussing customer data security and the means to achieve frictionless engagement. Variants of this conversation occur every day, and if you are the chief information security officer (CISO), you need to maintain these policies. Here are three reasons why employees…


Public or Private Cloud: How Secure Is Your Cloud?

by Christopher Burgess on November 27, 2014

Public and private cloud service providers have many providers to choose from. The cloud offers low-cost data storage solutions and infrastructure to host web applications and processes. The company can remove applications from client-side devices and they don’t need skilled IT professionals to manage the infrastructure. In a September Forbes article, “How to Avoid a Cloud Strategy Fail,”…


The Human Element in the Data Breach

by Christopher Burgess on November 17, 2014

We are all familiar with the adage, “to err is human; to really foul things up requires a computer,” which implies that the computer may be to blame for many data breach calamities. Alas, it appears the erring human is also culpable. Take, for example, the recent kerfuffle surrounding Apple’s iCloud and the compromise of celebrity accounts containing salacious photos. After much slinging of…


Security in the Cloud? Your Questions and Cloud Resources

by Christopher Burgess on October 16, 2014

The “cloud” is a nebulous concept. The “private cloud” is not as clearly defined as the “public cloud,” but it is still confusing. Of course, we have a long list of questions regarding the cloud, but it’s important to ask questions specifically about how cloud data is stored and kept secure. Resources to secure the cloud are plentiful. Here are some of the most important questions organizations…


Security Risks: Mitigating the Human Element

by Christopher Burgess on September 30, 2014

Logs, logs, and more logs: They bury our sys admins charged with protecting our networks. The larger the company, the more data there is to process. Sorting out the false positives from those requiring immediate attention is key. We can do this by focusing on what our users are doing. We are all thankful for the plethora of tools that allows us to consume the myriad of logs and help us, the mere…


3 Reasons to Consider a Managed Security Services Partner

by Christopher Burgess on September 11, 2014

Companies are generally cataloged as small, medium, or large. But size does not matter to a cybercriminal or an unethical competitor, who view companies as either soft and vulnerable, or hardened and difficult. Companies need to determine what level of “hardness” they need to achieve, and whether they want to build it themselves, partner with a managed security services entity, or a little of…


The Business of Security

by Christopher Burgess on August 6, 2014

Some of the most affable salespersons any of us have ever encountered are in the business of selling security. The business of security takes on many personas: technology, intelligence, awareness, knowledge, automation, hardware, software, legal, identity, BYOD, privacy, insider or outsider, risk and risk tolerance, and identity. At the recent RSA Conference 2014, many presentations touched one…


Robust Security Intelligence: How Different Security Infrastructures Measure Up

by Christopher Burgess on July 25, 2014

What constitutes good security infrastructure? Ask a member of a security vendor’s sales team, and he might hand you an order book with all the boxes checked. Ask a consultant, and her solution might focus on an extended hand-holding engagement. Ask a member of a country’s cybersecurity emergency response team (CERT), and he will talk about national infrastructure and public-private partnerships. …


Incident Response: Is the House Really on Fire?

by Christopher Burgess on July 16, 2014

The comparison of incident response teams to fire departments has been around for many years, with well-funded entities within enterprises likened to professional fire departments in a large city and the less-funded teams within small-medium businesses (SMBs) likened to volunteer fire departments found in smaller communities. The difference between the well-funded and volunteer teams can be…


BYOD: Security and Privacy

by Christopher Burgess on June 18, 2014

If your office has a BYOD (bring your own device) policy, your employees are connecting your ecosystem with their own devices, as are your partners with your intranet—and you may have little knowledge about these devices. The good news is that BYOD security and privacy implementation has a number of defined paths that can help you navigate through this jungle of privacy, security, and legal…


Disruption Can Wound or Kill, With or Without Social Engineering

by Christopher Burgess on June 2, 2014

The realization that your team is in the sights of individuals performing social engineering attacks is alarming. To think the information they elicited or the actions they induced were used to perform attacks involving your customers—well, you’d naturally feel panicked. But what if you were that customer, whose data or whose network has been made vulnerable by the actions of your team? Think it…


National and International Security Awareness Initiatives

by Christopher Burgess on May 23, 2014

Programs such as National Cyber Security Awareness Month (US) and Safer Internet Day (global) are designed to heighten international awareness for both companies and consumers. But who benefits? Individuals? Small and medium businesses (SMBs)? Enterprises? Individual Awareness Over the course of the past five years, National Cyber Security Awareness Month (NCSAM) has evolved from providing…


Cloud Service Maturing in Southeast Asia

by Christopher Burgess on May 12, 2014

Cloud service adoption and build-out in Southeast Asia is not new, as evidenced by the rapid pace in which Thailand, Malaysia, and Singapore took key positions in the data center and cloud service provider categories in 2011. Indeed, in 2012, the Singapore government offered incentives to companies to adopt cloud computing, and according to the Singapore Economic Development Board, Singapore was…


BYOD Is Alive and Growing in APAC

by Christopher Burgess on May 5, 2014

Bring your own device (BYOD) adoption in APAC is alive and well, and is expected to increase by more than 20 percent from 2014 to 2020, according to a study by Grand View Research. Two driving factors for this growth are reduced hardware costs and the maturation of cloud-based solutions, and the devices of choice are smartphones and tablets. What’s in it for the businesses? A report from…


The Security Threat Posed by Social Engineering

by Christopher Burgess on April 10, 2014

When one uses the words “security threat” and “social engineering” together, the analogy of hand-in-glove is appropriate. At the RSA Conference 2014, this was adroitly explained in the session “When the Phone Is More Dangerous Than Malware” hosted by Christopher Hadnagy and Michele Fincher, both of Social-Engineer, Inc., as they walked the attendees through how social engineers collect, sort, …


Training Bad Habits Out of Users: End User Training

by Christopher Burgess on April 1, 2014

User behavior is the magic ingredient which can ensure end user training programs are successful or an ignoble failure. The recent RSA Conference 2014 in San Francisco featured a panel discussion on this topic, “Changing User Behavior: The Science of Awareness” hosted by Frank Dimina, director of federal sales at Check Point Software Technologies. Dimina asked the panelists (Kati Rodzon, an…


When Security Policies Collide With Business Realities

by Christopher Burgess on February 4, 2014

Horror stories abound about the wayward employee who ignored the established information security policies in an effort to get the job done. The employee didn’t mean to put the company at risk, but that’s exactly what happened. In situations like this, the employee is likely caught in the switches between the information security policies of the company and the goals and expectations of his…


Security Awareness? “Once and Done” Does Not Teach Awareness

by Christopher Burgess on January 23, 2014

A new employee shows up on day one and walks through his ID card briefing, compensation and benefits brief, and security brief, meets his new team and manager, and tries to retain all the information rushing out at him via the orientation fire hose. All boxes checked, the employee is good to go, and the security team notes that 100 percent of all new employees continue to receive security…


4 Ways Social Network Engagement Can Derail a Company

by Christopher Burgess on January 16, 2014

Social network engagement is mainstream. Rare is the company who does not have a presence on a social network, with engagement including customer education and support, product launch, personnel recruitment, and competitive intelligence. Yet we continue to see occasions where improper employee use of technology can result in loss of intellectual property, inappropriate use of a social network for…[/text_output]