Practicing Your Crisis Response: How Well Can You Handle Right of Boom?

Ultimately, a crisis simulation enables an organization to pressure-test its incident response plans — including who has decision-making authority and who communicates what to whom — identify gaps, and improve strategy and tactics accordingly. After all, it’s much better to go through a series of practice runs than to be thrown to the wolves when the real crisis happens.

If there’s one thing 2017 taught us, it’s that we need to get ready for the inevitable data breach — especially regarding how we respond once we know about the “boom,” which is the time we first learn of a security event.

A new report by IBM’s Institute for Business Value (IBV), “Beyond the Boom: Improving Decision Making in a Security Crisis,” emphasized the value of conducting crisis response simulations for top leadership. The report comes amid increased global awareness about the likelihood and impact of cyberattacks, as evidenced by the World Economic Forum (WEF)’s “2018 Global Risks Report.”

Another positive development is the shift from a primarily defense-oriented mindset to a more agile approach to cyber resilience. Continue reading at

Why “Security” and “Efficiency” Should Never Be Used in the Same Sentence

Efficiencies in business are great, but in order for them to be effective, a precondition needs to exist: nothing goes wrong. We’re finding out in the cybersecurity world – something that touches everything – a lot is going wrong.

Marching along well into 2018 and I think it’s safe to say we’re not experiencing a cybersecurity revolution.  Sure, there has been some great advancement in tech, with AI and blockchain applications beginning to steam roll.  It seems if you add “blockchain” to whatever you’re doing, you’ll get a bump in business.  Really, this happened in late 2017. Continue reading “Why “Security” and “Efficiency” Should Never Be Used in the Same Sentence”

Data Integrity: The Next Big Challenge

Data integrity is an important issue to keep an eye on because of that entire confidence thing we talked about earlier. Without confidence, we’re going to run into a lot of problems that will not be easy to untangle. And that untangling will be mega-expensive.

Many of us in the cybersecurity world have followed this general mantra: protect the data, protect the data, protect the data. It’s a good mantra to follow, and ultimately that is what we are all trying to do.

But there are different ways to protect data. The obvious method is to make sure it doesn’t get ripped off, but as we have noted in previous pieces, the lexicon we use can be troublesome at times. This is particularly true when there is room for cultural interpretation (that’s one of the reasons why curbing international cybercrime is real hard).

That lexicon problem extends into many different areas, including what “protecting” the data means. “Protecting” data goes well beyond making sure it doesn’t get stolen. It means the data isn’t tampered with and is still usable, as it was originally intended to be used. That data can be financial statements, design schematics, or RFP bids.

Here’s the key that makes the world go around and around: confidence. If counterfeit data starts to circulate widely, our confidence in the data begins to diminish. Therefore, it’s just a matter of time before I start asking: do I really trust this financial statement, design schematic – whatever really – to be legitimate? If I don’t, I got a problem. And if I no longer want to accept the data you’re giving me as legitimate, you got a problem, too. Continue reading “Data Integrity: The Next Big Challenge”

SEC Releases Updated Guidance For Cybersecurity Disclosure

Overall, the updated SEC guidance set the bar a little higher and provided clear reminders — or, when needed, warnings — about the responsibilities of management and the board regarding cybersecurity disclosure.

“Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” — SEC Commission Statement and Guidance on Public Company Cybersecurity Disclosures

On Feb. 21, 2018, the U.S. Securities and Exchange Commission (SEC) released updated guidance on cybersecurity disclosure for public companies. The agency updated the document’s previous language, which was released in 2011, regarding cyber risks and their impact on investment decisions. Continue reading at

Listen to Your Cassandras to Avoid Cybersecurity Disasters

Just as business leaders have shifted their mindset to account for the inevitability of a data breach, the many cybersecurity calamities of 2017 should influence them to reassess how they treat Cassandras and prepare their security teams for a potentially catastrophic cyber event.

After such a tumultuous 2017, it’s hard to imagine things getting worse in the cybersecurity world, but one book predicted just that. While not solely focused on cybersecurity disasters, “Warnings: Finding Cassandras to Stop Catastrophes” by Richard A. Clarke and R.P. Eddy is a wake-up call for business leaders and lawmakers who often fail to heed warnings from experts about future calamities in the making, many of which are related to the evolving technology landscape.

Chief information security officers (CISOs) are sure to appreciate the many references to IT and security, and will likely want to share the book with the top leadership at their organization. In fact, The Washington Times called the book “essential reading” to understand how to improve our ability to deal with the “pervasive and continuous turbulence” of our times. Continue reading at

The End of Evidence

We’ve clearly fallen behind the times legislatively with respect to cybersecurity laws.

Perhaps you noticed from a recent Vanity Fair publication that Oprah Winfrey has three hands and Reese Witherspoon has some odd looking legs. Of course they really don’t. This was just “magic gone wrong” in the world of photo editing and likely invoked more than a few Homer Simpson “d’ohs!” and forehead smacks.

Goofy mistakes aside though, some photo editing and CGI work has been quite impressive and will surely get better. AI is even playing a role in this space. We’re going to keep this blog G-rated, but if you’re following the technology, it is possible to put somebody’s face on somebody else’s body in videos that are highly suggestive. Thankfully, at quick glance you can still tell these are fakes, but for how long will the naked eye be able to spot a fake?

So what do fake images and videos have to do with cybersecurity? Well, it’s a question of data integrity. Continue reading “The End of Evidence”

The Principles of a Safe Secure & Intelligent (S2I) Communications System

And that’s it. That is the entire basis for developing these principles, the rules of the road, these guiding lights, so that we can protect these systems we so dearly rely on.

What is a principle? The “know all” (aka, Google) tells us a principle is: “a fundamental truth or proposition that serves as the foundation for a system of belief or behavior or for a chain of reasoning.”

What is a communication system? The other “know all” (aka, Wikipedia) tells us a communication system is: “In telecommunication, a communications system is a collection of individual communications networks, transmission systems, relay stations, tributary stations, and data terminal equipment usually capable of interconnection and interoperation to form an integrated whole.” Continue reading “The Principles of a Safe Secure & Intelligent (S2I) Communications System”

What Can We Learn From the World Economic Forum’s Cyber Resilience Playbook

While it may be tempting to dismiss this document as a directive aimed solely at politicians and policymakers, the playbook lays out very real risks that organizations around the world must face when dealing with their own cyber resilience capabilities.

When the World Economic Forum (WEF) released its “Global Risks Report 2018,” in January, it also issued a new report titled “Cyber Resilience: Playbook for Public-Private Collaboration,” which aims to improve the way governments and policymakers around the world make decisions about cybersecurity. Since, as the report noted, the first line of defense is rarely the government, this framework is designed to promote collaboration both within our own borders and across the globe.

To create the framework, the WEF, in collaboration with the Boston Consulting Group, asked its experts to create an initial list of values that policymakers would need to weigh when choosing between various cyber policies. The 30 options were eventually distilled down to five key values that are central to any choice regarding cybersecurity policy: security, privacy, economic value, fairness and accountability. The remaining 25 options can be mapped to one of these five key values. Continue reading at

The Freedom to Communicate

The Internet has allowed speech to move freely. It is the railroad system of the 1800s and nobody should ever be denied entry onto a rail car for discriminatory reasons, especially when those reasons can serve as proxy to deny somebody their constitutional rights. And because the Internet rests on the use of radio spectrum, a federally-regulated property, nothing should prohibit the free exercise or abridging of the freedom to communicate.

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

– The First Amendment of the United States Constitution

Think back to a time where there was no social media, no mass media, and no printing press. How was a message passed? Two ways: through oral conversation or the laborious task of duplicating messages by hand.

These two conditions meant that your message didn’t really go far, but then again, neither did you. Most of your business was decided in your community and you had little fear of far off places impacting your life.

Fast forward to today. The technological leaps we have made allow us to replicate the message faster, spread the message faster, and reach a wider audience. I hit “publish” and this article is theoretically accessible to over 3 billion people by the first degree.

Generally speaking, these advances have worked out well for us. Think free societies, scientific innovation, friendships and bonds. Continue reading “The Freedom to Communicate”