CISO Corner: Barry Caplin, VP, Chief Information Security Official, Fairview Health Services

I spoke with Barry Caplain, VP, Chief Information Security Official, Fairview Health Services, at legnth regarding his security philosophy and the changing role of the CISO. Our conversation can be found here: Who were some of the early influencers in your career? I've worked under some great leaders, yet I don't think there is any single person who significantly shaped my career. My views on security and the role of the CISO have evolved over time, so my influencers are varied. I continue to listen to Bruce Schneier as I find his views on security valuable. What drew you to...

Read More

Managing Third-Party Security Means Getting Compliance in Check

Compliance is tricky, and vendors are necessary. These two facts account for a lot of headaches in software development, especially in heavily regulated industries (e.g., healthcare and finance) that handle huge volumes of sensitive data as a matter of course. Further compounding these issues is the fact that first parties are generally just as liable for third-party missteps as they are their own errors. Governmental bodies such as the OCC, government-regulated mandates such as the Dodd-Frank Act and industry standards such as PCI all hold first parties accountable when third parties make...

Read More

Hiring App Developers: Secure Traits to Search for in Third Parties

In some ways, hiring a third-party development team is like bringing on a new employee: You look for the traits, skills and experience you want, and you make a qualified decision based on your research. But the process can be much more complex in practice. After all, hiring app developers for a particular project requires you to make a number of considerations and take several risks. While there is no one-size-fits-all test you can use to evaluate your third-party prospects, there are more than a few general traits you can expect all vendors to exhibit, regardless of your industry. Here's...

Read More

Why Security Compliance Is a Yearlong Commitment

Security isn't just a scheduled event or a box on a checklist — and increasingly, neither is security compliance. Sure, countless people reading this article have pulled the "prepare for audit" shuffle, in which entire departments run around like proverbial headless chickens to ready themselves for that dreaded moment when the auditor walks through the door. And that stress makes sense: Keeping up with all those rules, which often seem like they were crafted by people who've never spent a day in development, can be a nightmare. But not all rules are arbitrary —...

Read More

Target Data Breach Settlement Provides Takeaways for Other Businesses

After the 2013 data breach of Target's retail systems, which exposed the customer records of over 70 million customers, some of those affected filed a class-action lawsuit against the company. Target recently settled that lawsuit, putting aside a substantial sum of money, and became a rare example of a data breach victim that had to pay damages. This lawsuit should be seen as a warning to other businesses that additional damages could add to the already costly negative PR and direct financial losses poor security controls can cause. The Target Data Breach Settlement Court documents filed...

Read More

The Internet of Things Puts a Threat on Every Wrist

The Internet has been abuzz with things lately — or maybe it's the other way around. The Internet of Things is here to stay, and that has meant a lot of changes for application and enterprise security. As apps diversify and everything from seemingly innocuous Fitbits to complicated bring-your-own-device programs become the norm, managing threats to secure enterprises will become an increasingly creative and multifaceted endeavor. Soon, keeping track of smartphone OS versions and apps will seem easy compared to the problems brought about by wearables and the latest crop of tablet-...

Read More

Build Third-Party Relationships Through Effective Communication

The fact that communication is a vital aspect of successful third-party relationships is obvious. ("You mean to tell me I have to talk to the companies producing my code? Jeez, next you'll say I have to give them money or something!") That said, simple statements can hold a lot of meaning, and woe be unto companies that don't do a good job communicating in all the forms that interactions with vendors and others can take. Effectively navigating a vendor/customer relationship from start to finish requires a concentrated effort from multiple arms of an organization; on the...

Read More

VENOM – Not as Deadly as a Heartbleed

This morning, CrowdStrike issued a vulnerability disclosure for CVE-2015-3456 — branded VENOM (Virtualized Environment Neglected Operations Manipulation). VENOM is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. I’ve seen a few articles from reputable outlets claiming that the vulnerability is “bigger than Heartbleed.” While I do believe companies should absolutely apply patches as they become available, I’m not convinced this vulnerability will have the same level of severity as Heartbleed. If we are...

Read More

Is the UK Police Force Keeping up with the Shift to Cybercrime?

Over 3,800 officers enrolled in training, Freedom of Information Reveals Along with so many other spheres of our lives in today’s digital world, crime has changed dramatically in recent times. Criminals are smart to the fact that cyberspace presents a lucrative alternative to more old-school methods. Or perhaps cybercrime is just attracting a different crowd to those whom your local bobby would traditionally encounter.  One tucked away in the safety of his or her own bedroom… far removed from the offenders that police officers have been trained to deal with. In light of the...

Read More

Even Software From a Large Supplier Can Have Vulnerabilities

The software an enterprise buys can introduce just as much risk into the organization as the software the enterprise builds itself. However, even enterprises that have mature secure development processes are prone to inadequately securing their software supply chain. Why? Because ensuring the software an enterprise is purchasing is secure is hard. Typical software supply chain security programs consist of questionnaires — trusting that vendors are truthful and knowledgeable about their security programs. However, when a testing process is put into place, 90 percent of vendor-supplied...

Read More

Pages