Economic recovery, innovation, and demand for new business models will create limitless opportunities in 2010.

Get this business strategy report, go to:

www.csoboard.com/Publications

On Monday the U.S. Federal Trade Commission (FTC) announced new rules (Wall Street Journal: http://online.wsj.com/article/BT-CO-20091006-709182.html) that will require internet bloggers to disclose when they have received cash or other payment for endorsing the services and products of a company. While this may news may have caused a stir in the online community, the FTC’s actions made me stop and think about the current business world we live in.

We live in a global business climate where personal responsibility, ethics, and doing what is morally correct are undervalued and often a detriment to a person’s career mobility. I’m not saying every company or corporate culture rewards bad behavior—although I’ve seen some industries and organizations that do reward unethical behavior.  The truth lies somewhere closer to the reality that it is easier for people to look the other way and ignore bad behavior, even to the point of ignoring the personal responsibility for transparency and basic decency in all of our actions individually and collectively.

Fast forward to the information security or “cybersecurity” world we thrive in. Personally I’m saddened that the FTC would have to legislate what should be a basic tenet of being a business professional or in a position of trust as a blogger or celebrity. As working professionals in our respective career fields, there should never be a question as to where our moral compass is showing the way.  As a management consultant, technology executive, and security professional, one thing has always been clear in my mind—the value of personal ethics in all I do.  Have I made my share of mistakes in my career?  Absolutely. Have I learned from those mistakes?  Yes!  Remember that being an ethical person does not guarantee you will not make mistakes.

The information/cybersecurity industry is innovating at an unprecedented speed.  Industry and government regulations attempt to instill personal, cultural, and corporate responsibility. These well intentioned efforts will fail to accomplish their intent unless people take personal responsibility. 

One of the best lessons I’ve learned is that having clear personal responsibility and ethics your words and actions in the security profession is more important than all of the technical or formal knowledge you acquire in the security profession. Trust your moral compass.  Do what is correct, ethical, honest, transparent, and good for your clients, your organization, your community, and our world.

CEOs must fundamentally change their thinking about the strategic and bottom line importance of information security in the 21st century.  Information security and the challenges for the protection of data entrusted to organizations is outpacing government and industry enforcement capabilities. CEOs who understand this sooner will be able to ensure their organizations are better prepared to meet those challenges.

You may read the article "IT is a must" at BT Quarterly: http://www.btquarterly.com/?mc=it-must&page=sp-viewarticle.  Please note you will be required to register for free at BT Quarterly to read the article.

I wrote this report and just published it on my consulting firm's website. This executive report examines three important trends of cybersecurity importance for business. We are facing difficult economic times. Organizations who proactively plan and manage cybersecurity risks will be better positioned to succeed in the global business environment.

To download this report go to:

http://www.csoboard.com/Publications

Image via Wikipedia

The University of California, Berkeley, has setup a website http://datatheft.berkeley.edu/ informing the general public about a data security breach carried out by hackers who may have accessed a database at the university's campus health services center.

My thoughts...It is my hope, this incident will serve as a wake up call to healthcare organizations and educational institutions of the need for stronger information security management.  I've long believed that healthcare and educational institutions have a greater responsibility for the confidentiality, integrity, and availability of the personal information entrusted to them by their students, staff, and business partners. 

As a former Chief Information Security Officer (CISO) in healthcare, I know first hand the data security and privacy risks for that industry.The healthcare industry collects and processes more personal information on patients, than most financial institutions. For hackers seeking to steal personal information to be able to conduct financial fraud, healthcare organizations are easy targets, given the limited financial resources those organizations have devoted to protecting the personal information of patients, staff, and business partners. Healthcare organizations need to invest in more information security defenses and education for their staff.  Meeting an audit report for regulatory compliance is not sufficient and healthcare organizations must invest in information security as an integral part of their way of doing business.

The Virginia Prescription Monitoring Program (PMP) was hit by hackers according to media reports. (See Washington Post: http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html)

The suspected hackers deleted the pharmacy records of 8 million patients in the state's databases and hijacked the PMP website with a $10 million dollar ransom note to return the data records.  The state is referring all inquiries to the U.S. FBI.

More news regarding this incident:

FBI Probes $10M Hacker-Ransom Claim in Virginia
http://www.cbsnews.com/stories/2009/05/05/tech/main4992372.shtml

Alleged hacker demands $10 mil for Va medical records
http://www.timesdispatch.com/rtd/news/local/article/HACKGAT05_20090504-212004/265693/

During the week that the RSA Conference is held in San Francisco, another event takes place that is always the highlight of the week.  That event is the SC Magazine Awards Gala industry awards.  This is one of those events I look forward to every year and I'm sure many IT security industry companies also look forward to having their solutions honored by an award.

The SC Magazine 2009 Awards Gala event was held last night at the Hilton Hotel were the best awards that I've attended in recent years.  Despite the economic news we hear every day, you could tell from observing the companies attending, nominated, and honored are growing and providing solutions that customers are demanding.  This leads me to believe that the IT industry in general has at least one very large bright spot and that is IT security.

I won't pontificate on the merits of IT security solutions or the value of purchasing those solutions.  I'll let you be the judge of those solutions.  Here is the link for a the list of winners of the SC Magazine Awards 2009 -- http://www.scmagazineus.com/pages/section/945/

Thanks to SC Magazine, the judges, nominees, winners, and most importantly thanks to the customers and clients we in the IT security industry serve.  You, our customers in many industries have allowed us the privilege and honor of serving you with IT security solutions that protect your organizations from risks both on-line and offline.  Thank you for aallowing us to serve you, our customers.

I couldn't sleep tonight and was reading on-line on recent cybersecurity challenges and ran across an article in the San Francisco Chronicle regarding this year's RSA Conference.  (See SFGate.com: Somber year for RSA Conference on cybersecurity).  The RSA Conference is one of the largest gatherings of cybersecurity professionals in the world. 

The SF Chronicle article crystallized for me what I have been feeling as an information security professional, a feeling that today more than ever, cybersecurity has a real impact on our daily lives.  Unfortunately due to the current economic crisis, many organizations are being forced to scale back their Information Technology (IT) and information security budgets. 

Organizations should carefully consider their investments in light of current economic conditions and make wise investments in cybersecurity.  Prudent investments in cybersecurity will help to safeguard an organization's intellectual property, business transactions, and the data/information entrusted to them by their clients and business partners.

As I travel to the RSA Conference this week, I hope to interact with other information security professionals and colleagues and learn how they are helping their organizations by adding value and performance improvements to their organizations.

Several media outlets are reporting of an investigation being led by the U.S. Federal Bureau of Investigation targeting officials in the Office of the Chief Technology Officer (OCTO) for the government of the District of Columbia.

According to news reports, Yusuf Acar, the Information Systems Security Officer (ISSO) for the OCTO has been arrested by the FBI.

Yusuf Acar worked for Vivek Kundra, who recently left his role as Chief Technology Officer for the District of Columbia to become President Obama's nominee for Chief Information Officer for the Federal Government.

See more at:

Washington Post - Breaking: D.C. Tech Official Busted in Federal Bribery Sting  http://voices.washingtonpost.com/dc/2009/03/breaking_dc_tech_official_bust.html

Associated Press - FBI searches DC government office, arrests worker
http://www.google.com/hostednews/ap/article/ALeqM5hMT9GSjeFeuiRWPCUKflpfkvfw3QD96SIU584

ABC News - FBI Arrests DC Official
http://blogs.abcnews.com/politicalpunch/2009/03/fbi-arrests-dc.html

Fox News- Obama's Pick for Information Officer Raided by FBI
http://www.foxnews.com/politics/first100days/2009/03/12/obamas-pick-information-officer-raided-fbi/

SC Magazine: Leading through the good and bad
by Jaime Chanaga, CISSP, CISA - CEO, The CSO Board

As the drumbeat of negative economic updates seems to overwhelm our daily news cycles, we tend to forget that at the heart of any business engine is people.

Read the full article here:
http://www.scmagazineus.com/Leading-through-the-good-and-bad/article/128340/

Normally I don't complain about anything on-line.  However, today I will make an exception.  My AT&T Wireless cell phone service started to have issues this morning.  I have just spent the last 30 minutes on the phone with Customer Service, only to be told there is a potential network outage (voice/data) on the AT&T Wireless network in Texas, affecting the Dallas area.

The only information I have at this time are two technical support trouble ticket numbers TT000009764939 and TT000009768806.  As soon as I find out more information I will post it here.

I have been a loyal premier business customer of AT&T Wireless for a very long time and hope they can find a resolution to this network outage.  I have posted this on twitter under #ATTWireless if you would like to follow any further updates to my experience on this issue affecting users of AT&T Wireless services.

The University of Rochester has disclosed (see official notice) that a non-academic student database was compromised resulting in the data theft of social security numbers of current and former students.  Estimates by the university are that approximately 450 people are affected in this incident.

The University has notified the FBI, the New York State Attorney General, the Consumer Protection Board, and the Office of Cyber Security.  The University is also offering to pay for credit monitoring services for the victims affected by this data breach. 

As the new year begins, I'm hopeful that despite the negative forecasts for the U.S. economy, there will be areas of business and technology growth driven by increasing regulatory and compliance mandates for organizations across many industries. Organizations should begin to look at ways they can leverage and optimize their use of information security management programs and technologies to enhance the operational and financial efficiency of their information technology services portfolios. Regulatory compliance as a stand alone business function does not add value to the financial bottom line of any organization.

It is up to those responsible for information technology and security management to find ways to add operational and financial value to their organization. To my fellow information technology and security colleagues, I urge you to make 2009 a year in which you actively brainstorm and produce tangiable added value to your organization. Let's do our part to help the economy grow--every action of added value can help! One thing I'm confident about is the ingenuity and resourcefulness of information technology and security professionals.

If you have an idea on how information technology and security can bring added value in 2009 to any organization, please share it with me or the readers of this blog.

Best wishes for success in 2009!

A study just released by Compuware, the 2008 Study on the Uncertainty of Data Breach Detection, shows that among surveyed companies the leading cause at 75% for data breaches is negligence on the part of company insiders.  Malicious intent by insiders only accounted for 26% of detected data breaches.  Not surprisingly 1% of all data breaches are attributed to external hackers.   Although 1% of data breaches being attributed to external hackers may be underreported as organizations are careful to avoid the perception of being vulnerable. 

For more information on the 2008 Study on the Uncertainty of Data Breach Detection, please visit Compuware at: www.compuware.com/databreach

As Election Day approaches in the 2008 U.S. Presidential General Election, I'm growing more concerned we could see more widespread electronic voter fraud attempts.  Given the climate of this highly charged political climate, it is no wonder that supporters of either ideological camp may be tempted to tamper with electronic voting systems to favor their respective political candidates.

Despite the public scrutiny of electronic voting machine systems by various researchers, universities, and state governments, there much more to be desired in terms of guaranteeing the integrity and transparency of the electronic voting process.

Some State Governments including California have taken leadership in conducting comprehensive, public, and well intentioned information security audits of electronic voting systems.  Although these tests have revealed serious flaws in the hardware and software security of commonly used electronic voting machines and tabulation systems, little is being on a national level to address the concerns of serious security researchers and technology industry experts. 

In this democracy, it is up to each one of us as citizens to require from our elected political leaders transparency and integrity in our efforts for national electronic voting adoption.   We should not allow this democracy be blinded or held hostage by partisan interests.

Articles & Resources on Electronic Voting

Wikipedia - Electronic Voting
Ohio Secretary of State - Study: Voting Systems Vulnerable
California Secretary of State - Top-to-Bottom Review
Debate hot over e-vote security
MIT - Does Your Vote Count? It Depends On Who's Counting Your Vote
States Ready E-voting Systems
Interview - The Grill: Avi Rubin

Shell Oil Co. is warning (click here for link to notification) U.S. based staff that a database containing the names, dates of birth, and social security numbers (SSN) for former and current employees was misused by an IT contractor. 

The allegation is that the IT contractor filed false unemployment claims using the identities of four Shell employees.  Shell has terminated its contract with the IT contract firm in question and is cooperating with local and State of Texas authorities to completely investigate this fraud incident.

Shell should be applauded for their prompt action to investigate and find ways of mitigating the impact of this incident.  Hopefully those guilty of conducting this fraud successfully prosecuted for their egregious breach of trust.

The Health Information Trust Alliance or HITRUST (http://www.hitrustalliance.org) is an independent organization working with leaders and leading organizations in healthcare, business, technology and information security to help advance the quality improvement and cost effectiveness of the protection of electronic information within the healthcare system in the United States.

In working towards this goal, HITRUST is currently developing a Common Security Framework (CSF) Program to enable healthcare related organizations to gain better understanding and adoption of the various industry regulations and international standards for information security such as:  ISO 27001, ISO 27002, PCI DSS, CoBIT, HIPAA, and others.

"The HITRUST Common Security Framework Program, through the collaboration of HITRUST and organizations that represent the full spectrum of the healthcare, professional services, information technology, information systems and information security, is establishing the HITRUST Common Security Framework (CSF), a comprehensive, certifiable set of tools to aid organizations in protecting their information assets and managing related risks, costs and complexities." (http://www.hitrustalliance.org/programs/)

As a former CISO in the healthcare industry with an understanding of the challenges faced by healthcare organizations I welcome the efforts of HITRUST.

The Bank of New York Mellon (NYSE: BK) suffered the loss of 10 unencrypted data tapes in May 2008.  At the time of this incident, the bank estimated the tapes contained the personal information on approximately 4.5 million customers. 

After subsequent computer forensic examination of the data tapes, the bank is now reporting that the data tapes could contain the personal information on as many as 12.5 million bank customers.

Opinion: A lesson that all businesses should learn is to consider data encryption as another layer of security when storing sensitive personal and financial information.  Encryption won't prevent data breaches or accidental disclosure of sensitive business information, however encryption can prevent your sensitive business information from falling into the wrong hands.

Bank of NY Mellon data breach now affects 12.5 mln
http://www.reuters.com/article/domesticNews/idUSN2834717120080828?sp=true

The New York Times broke the story that The Princeton Review's website exposed the personal data and standardized test scores of approximately 100,000 students. 

The New York Times article - Student Files Are Exposed on Web Site