Building CISO Relevance: Written For BitSight

Posted on September 26, 2013 by Eric

BitSight is a very interesting security startup that is trying to do something we all have wanted for a long time. Their goal is to find ways to actually quantify risk in a measurable, objective way. If they achieve anything close to that goal, it’s a big deal. I went to work for CORE Security because they are in that same space: using data to provide objective insight into the risk an organization faces.

I was happy to post as a guest on BitSight’s blog because of that. I chose to hit on my favorite topic, being relevant to your business. I think it’s a pretty good read and you should check it out.

I’ve got no interest in BitSight other than wanting to see a good security idea succeed.

Here’s what I think is the key bit of the whole thing.

… security leaders are not outsiders. You don’t need to gain a seat at the table or learn the business or align with the business. You’re already a part of the business—that’s why they hired you. You just need to be relevant to your business.

Go read the whole thing.

Posted in Big Data, General, InfoSec, Risk Management | Tagged , , , | Comments Off on Building CISO Relevance: Written For BitSight

A New Adventure

Posted on September 23, 2013 by Eric

As most people in my personal and professional networks know, I am leaving Providence Health & Services for a new job. But, unless I’ve talked directly with you about it, it’s likely that you don’t know WHERE that new job is. Today all the waiting is over. Before this, all of the executive leadership of Providence had to be informed and all the employees of my new company needed to know what was happening.
Continue reading

Posted in Career, InfoSec, Life and Times, Penetration Testing, Vulnerability Management | Tagged , | 5 Comments

Upgraded to iOS7

Posted on September 19, 2013 by Eric

Yep, I followed along with all the other Apple peeps and upgraded both my iPhone and iPad to iOS7 yesterday. Unlike all the media reports about the insanity of trying to perform the upgrade, I really had no issues.

Around 10 AM I upgraded my MacBook Air to MacOS 10.8.5 and iTunes 11.1 (necessary for iOS7). That took about 15 minutes. Then I started the iPhone upgrade, fully expecting a nightmare as every one else was reporting. 15 minutes later my phone was “verifying” the update with Apple. That took about 5 minutes and I was all done on the iPhone 5. Then I started the iPad Mini, that was complete within another 30 minutes.

My one complaint on this front is that I had to use a WiFi network to perform the download/upgrade, instead of AT&T’s LTE network. LTE is quite a bit faster than the WiFi network I was on, although clearly it wouldn’t have made that much difference.

I had no pain, no lost anything, no borked devices, etc. I had to figure out how to turn off background updating for apps as that was sucking the life out of my battery worse than anything else I’ve yet seen. Other than that, great upgrade, very painless and easy.

As far as whether it’s a “must have” upgrade … that depends. Do you have all Apple devices, as I do? Then the answer is unequivocally yes. As soon as Mavericks (code name for the next version of MacOS) is out, the integration between iPhone, iPad and MacBook will be significant. Already I can use Airdrop to easily move files between phone and laptop. The integration will go much deeper though .. including calendars, iBooks, Maps, iCloud Keychain and so forth.

If you are an iPhone/iPad user, but your computer is Windows based, the story isn’t compelling at all from an integration perspective. HOWEVER, you will still have iCloud keychain, iCloud improvements generally, better multi-tasking, improved folder design (I love this feature), Control Center, improved Notifications, a much better Camera app, a better Safari, iTunes Radio and a bunch of other stuff. Plus I’ve noticed that the OS is more responsive and generally feels better than iOS6.

So, like normal with Apple, there is no revolutionary change to iOS (just as there won’t be with MacOS). That said, it just keeps evolving and getting better, more stable, easier to use … and all without the frustrating changes in behavior and use cases that you see from the other guys. Nope, the device just works and does what I need to do well, no fuss, no muss.

Here’s a screenshot after the upgrade:

ios7-screenshot

Posted in Apple, BYOD, Consumer Devices, Mobility | Tagged | 2 Comments

Presentation At Gartner’s Security Summit in Australia

Posted on September 12, 2013 by Eric

I had a great (albeit way too short) time in Australia last month. I got to meet some folks, spend some time with old friends and gave the closing guest keynote presentation for the Summit. For those who weren’t there, I thought you might like to see the presentation. Sadly, you won’t get to see me giving it.

But here it is: Achieving Relevance and Value as a Security Professional

Hope you enjoy it.

Posted in General | Comments Off on Presentation At Gartner’s Security Summit in Australia

Oh Noes

Posted on July 26, 2013 by Eric

Oh Noes

Posted in General | Comments Off on Oh Noes

ISSA International Conference Featured Speaker

Posted on July 9, 2013 by Eric

Yes, your favorite blog author is going to be speaking at the ISSA International Conference this year. In fact, I will be one of their Featured Speakers. And just because I like it that way, I decided to go out on a limb a bit.

From the agenda:

Predictive Security – Another Meaningless Marketing Term? Or A Real Possibility?
Eric Cowperthwaite – Chief Information Security Officer – large hospital system on the West Coast of the USA.

In this session, we will look at what the term “Predictive Security” means, we’ll consider if it is just a marketing term to suck in the unwary CISO and then we will explore if Predictive Security can actually make a difference to your enterprise security program.

Come on out to Nashville and see if I am full of it, or not!

Posted in FUD, General, InfoSec | Comments Off on ISSA International Conference Featured Speaker

Gartner Security Summit Keynote

Posted on June 10, 2013 by Eric

Paul Proctor got on stage and captured the attention of 2400 security professionals. He lampooned the NSA, brought the ghosts of security on stage and even highlighted my organization for the changes we’ve been able to accomplish.

Key themes: BYOD, cloud and mobility are changing everything … Again. You have to help the business. During this time of transformation, security must reset.

I captured a lot of it in my twitter feed, which you can find under #GartnerSec

I’ll share more on twitter and this blog as we go.

Posted in BYOD, FUD, InfoSec, Security | Tagged , , , , , | Comments Off on Gartner Security Summit Keynote

All Your Data Are Belong To US

Posted on June 9, 2013 by Eric

It has become very apparent that something security and privacy professionals have talked about for a long time has become quite real. And I think there’s really no putting the genie back in the bottle, either, sadly.

Basically, once there was enough bandwidth and computing power, it was only a matter of time before all your electronic activity became available to anyone with the ability to harvest it. And now it is becoming quite clear that the NSA now has gathered enough data on phone calls, email, online purchasing, web surfing and undoubtedly much more to be able to piece together pretty much anything about an individual that they want to know. Who you associate with, who you don’t like, what your political leanings are, whether you work conscientiously at your job or surf pornography in your spare time. They can find out.

Of course, given the reality of how big data like this works, an individual person doesn’t actually know all of that personally about another individual in general. Instead, all the data to allow it is in a huge set of data stores. And when it comes time to want to know everything about someone, then a query gets started and suddenly an NSA analyst can provide a full portrait of my activity and behavior to whoever is asking for it. Until then, you are as anonymous as the billion other people whose data sits in there.

Meanwhile, the bad guys are going to muddy the waters, spoof the systems, do everything they can do to hide their own activities and behavior from the NSA.

Congress could pass a law tomorrow preventing this sort of data gathering and big data application to surveillance and intelligence gathering. It won’t matter one bit. The data has been gathered, the methods created, the bandwidth exists and the computing power. If you think the Chinese government isn’t doing this already, I’ve got a bridge in New York to sell you.

I’m not suggesting that you should just give up, shrug your shoulders and ignore the problem. I am suggesting be realistic about this. Realize that if the US government (or China, Russia, France, Israel, UK and many others) really want to know all about someone, they can find out most all of what there is to know. You’re only hope to avoid this is to do what cyber warriors do …. use encryption …. all the time …. never use Facebook, Twitter, LinkedIn … run all your internet connections through multiple proxies. Always use an alias, not your real name. Never use online services provided by major US companies (Amazon, Google, Microsoft, etc). Never buy anything online. Never use credit cards in your own name to buy anything, online or in real life.

Of course, this is completely unrealistic for most of us. We simply can’t go back to the world of 1990. And even then, as Osama bin Laden found out, they can still find you through your eventual connections to people who are communicating with cell phones, posting stuff online, etc.

Basically, you can’t escape, so make your time. All Your Base Are Belong To Us

Posted in Big Data, CyberWar, Government, InfoSec, Security, Technology | Comments Off on All Your Data Are Belong To US

Off to DC and Gartner

Posted on June 9, 2013 by Eric

The timing seems fortuitous …. I’m sitting in the Alaska Air lounge, waiting to board my flight for DC so that I can attend the Gartner Security & Risk Management Summit. With all of the revelations last week showing us just how far and wide the US government has flung its data gathering net, this should be a fascinating week to be at a big security conference.

Aside from that, I’m looking forward to connecting to all my friends and colleagues that when I go off to events like this. And hopefully picking up one new idea.

See you all there.

Posted in General | Comments Off on Off to DC and Gartner

Interesting Learning At CITE13

Posted on June 5, 2013 by Eric

Okay, here’s a first thought from CITE Conference & Expo 2013.

People doing consumer technology in the enterprise take security seriously. Much more seriously, in my opinion, than the average IT guy does, certainly. Not only that, but you guys are much more realistic and thoughtful about what constitutes good security than many of the people in the IT security profession.

I really enjoyed that. Thanks all!

Posted in Consumer Devices, InfoSec, Security | Comments Off on Interesting Learning At CITE13