By:
On:
In: *Connecting the Dots Blog*, Information Security, Legal, Regulatory Compliance, Risk Management

Two recent headlines caught my attention: Construction Company Sues Bank for Money Lost in Cyber Scam Couple’s Lawsuit Against Bank Over Breach to Move Forward In both of these cases, banks are being sued for not taking adequate precautions that could have prevented cyber thieves from stealing money from the customers’ accounts.  The customers claim that the banks did not offer two-factor authentication and also failed to notice suspicious and anomalous behavior.  Therefore, the customers are claiming that the banks breached their duty to protect account holder information. These lawsuits could have significant ramifications and I will be curious to see the final outcome.  ShouldRead More →

By:
On:
In: *Connecting the Dots Blog*, Uncategorized

Step 10 is: Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the nation. Step 10 is definitely needed.  Step 10 mentions privacy which is generally more about collection and dissemination of sensitive and personally identifiable information (PII) than securing or protecting sensitive information.  Privacy is generally more about People and Processes and security is generally more about Technology; however I think President Obama is smart to mention the need to build an identity management vision and strategy that addresses privacy and civil liberties. I have to say….I am surprised that President Obama has notRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security

Step 9 of President Obama’s 10-point action plan is: In collaboration with other Executive Office of the President entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. I love the sound of Step 9!  It is like a great pre-game speech from a well respected coach talking about game-changing strategies and teamwork and relying and trusting each teammate to do their part in their goal to winRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

Step 8 of President Obama’s 10-point action plan is: Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement. Keywords in Step 8 include: Prepare, Initiate, Dialog, Partnership, Streamlining, Aligning, Optimize. Preparing an incident response plan is a great idea and can play a critical role in the success of a cybersecurity action plan, however a lot organizations have incident response plans that are not producing much if any feedback.   Why are traditional response plans not working? Problems with traditional incident response plans lack anonymity on theRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Information Security, Risk Management

Step 7 is: Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. Wow…this is a very complex step when you consider the Cyberspace Policy Review described cybersecurity policy as: cybersecurity policy as used in this document includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missionsRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

Step 6 of President Obama’s Cybersecurity plan is a great idea and it states: Step 6 – Initiate a national public awareness and education campaign to promote cybersecurity. Lessons Learned from national public awareness and education campaigns show that they can work very well with “simple and straightforward” issues such as drunk driving, seat-belts or forest fires.  For example, most of us have heard of “over the limit, under arrest” or “click-it or ticket” or “only you can prevent forest fires”.  But cybersecurity is not “simple and straightforward”. Lessons Learned, experts and reports unanimously agree that cybersecurity related attacks are becoming more and more sophisticatedRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

Ok, now we are starting to get into the action points that have a lot more complexity and will absolutely require an “intelligent playbook” and innovative tools to implement appropriate mechanisms, priorities, processes, policies, roles, responsibilities, activities and more across the federal government.  Based on Lessons Learned, Inspector General Reports and a recent May 2009 GAO Report that stated 23 out of 24 major federal agencies had weaknesses in their agencywide information security programs…it is obvious that action point 5 is going to be extremely difficult to implement and manage.  Action Point 5 – Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priorityRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

So the new Cybersecurity Adviser (aka Head Coach) will be announced this week…and as I mentioned previously regarding Step 1 and Step 2, the Head Coach will play a vital role in coordinating people, entities, policies, activities, strategies and ongoing updates as strategies and threats change.  We reviewed how the Head Coach will need to implement an “intelligent playbook” to ensure all appropriate people have access to customized knowledge they need to make better decisions and achieve better results.  The “cybersecurity intelligent playbook” will no doubt need tools that will empower the Head Coach and enable all appropriate personnel to have secure accessibility to theirRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

Part 2 of several to come… Looking over President Obama’s 10-point action plan, there is no doubt that the key to successfully protecting, deterring, preventing, detecting and defending our digital infrastructure and strategic national assets will be the “playbook” and the “execution of the playbook” by all appropriate individuals. Step 1 of the 10-point action plan is to appoint a cybersecurity policy official responsible for coordinating the nation’s cybersecurity policies and activities and coordinate with National Security Council and National Economic Council to coordinate interagency development of cybersecurity- related strategy and policy.  Sounds like a Head Coach and more to me… The Head Coach isRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

Part 1 of several to come… Thank you President Obama! As you probably saw in the news, President Obama presented a 10-point action plan aimed at securing federal government’s critical IT infrastructure. I missed the President’s live press conference that day, so when I returned to the office I found the news story about the President’s 10-point action plan.  There is no doubt that cybersecurity has become a significant concern for government and private organizations too and I wanted to see specifically what President Obama’s 10-point action plan looked like and if it targeted some of the challenges I have seen in my 20+ yearsRead More →