Archive

Posts Tagged ‘physical security’

New CISO at Target

Photo Courtesy of Target

Photo Courtesy of Target

Target named its new CISO today. Brad Maiorino will fill a newly created post called senior vice president and chief information security officer. When the Target search began, I shared the comment with several other security analysts wondering who would want that job. Apparently, Mr. Maiorino, who comes from General Motors and General Electric where he held similar positions, wants it. I imagine he feels excited about the opportunity to rebuild a security program with a substantial budget and likely a wide latitude. Plus, any breaches occuring in the first six months or so could easily be blamed on the previous administration. That gives him a year of smooth sailing and liberal spending. After that, the rubber hits the road and he will be on trial more than most CISOs.

The Snowden conversation we are all having in one way or another…

Edward Snowden (source Wikipedia)

Edward Snowden (source Wikipedia)

Edward Snowden did one important thing: He made an important conversation on security and ethics popular and international.

One one hand, he told us something we always knew: Spies spy. That is, stealthily gathering secrets, usually associated with times of war or matters of national security, is the third(?) oldest profession.  :-)
Spying on specific national interests is assumed, expected, and probably universal, which is why the feigned indignation of global leaders is laughable.
However, spying on a populous is extreme. Spying is normal when its targets are decision makers, influencers and information handlers. Regular citizens, though, don’t qualify for surveillance unless they are associated in some other way with a security threat.
  • Surveillance of a high crime street corner is appropriate
  • Surveillance of a shoplifting-prone market is appropriate
  • Surveillance of military leaders engaged in assault on national interests is expected
  • Yet, combing private communications, collecting information that may someday be factored as a risk – destroys the fabric of trust between a people and its government. 
Therefore, surveillance in itself is morally neutral, neither good nor bad. Sometimes it’s downright necessary for security or loss prevention. It’s a simple formula: Analyze meta data, identify risks, manage risks.
This surveillance and spying conversation, however, sends shivers down the backs of security managers and executives.
My recent informal research shows that security executives are Least Aware of physical threats to information. Every security executive we’ve interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.
…and Least Prepared for Social engineering and physical penetration.  Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.).  Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by
  • an unauthorized visitor tailgating into the building
  • an attacker bypassing security controls at doors and fences
  • rogue employees or contractors (a la Snowden)
  • an internal attacker of any type
We are all in this discussion now, public and private organizations, data and physical infrastructures. Now tell me your opinion. Do you think the “Snowden affair” is relevant to your organization?  Is it a physical security issue? A cybersecurity issue? Both? Something different?
(Published by Steve Hunt previously on SecurityCurrent.com)
(Photo credit: Wikipedia)

SecurityDreamer Trends Report

February 14, 2013 13 comments

security_dreamer_high-res_4c

Overview

Each year since 2005, SecurityDreamer blogger and industry analyst, Steve Hunt, conducts surveys of end user security executives, tracking trends related to the business of security. We cover physical security and IT security equally at SecurityDreamer, carving our unique niche in the industry. Here is a taste of our findings. Sorry, the complete findings are not available except to Steve Hunt’s consulting clients and participants in the research.

Methodology

I find that narratives yield more insight and are more accurate than statistics. Therefore, the SecurityDreamer approach is to conduct dozens of personal interviews, by phone, email or in person. Each interview covers a subset of topics. Data gathered is generally qualitative and anecdotal, rather than quantitative.

Topics Included

Awareness

Budgeting/Spending

Business Continuity

Consultants, Use of

Event Management

Executive Buy-in

Identity & Access Management

Identity Theft

Interdepartmental Collaboration

Operational Best Practices

Penetration Testing

Physical Information Protection

Social Engineering

Staffing/Headcount

Strategy & Planning

Technology Lifecycle Management

Technology Selection

Approximately 50 companies participated in the survey, representing 11 industries.

Industry

%

Energy

19

Finance

16

Business Svcs

14

Online Merchants

13

Banking

8

Healthcare

8

Retail

6

High-Tech

6

HighTech

4

Entertainment

3

Food&Hospitality

3

 

security_dreamer_high-res_4c

Summary Findings from the SecurityDreamer Research

Increased Spending

While operational security budgets saw little growth across all industries, spending for new projects increased steadily in Energy, Finance, High-Tech and Entertainment. New IT security and physical security projects most notably included

  • Security operations centers
  • Virtual command centers
  • Security information management systems (SIEM, PSIM)
  • Networked cameras and sensors at high-risk facilities

Greatest Challenge

CSOs and CISOs complained that their greatest business challenge is metrics: Normal operational metrics, such as improved response time to security incidents, or numbers of malicious code detections are not compelling to business leaders. Security executives seek better ways to calculate ROI, justify purchases, and measure the success of deployments.

Most Surprising finding of 2012

Collecting Company Wisdom. Far more companies in more industries are documenting processes than we’ve seen in previous surveys.  Continual Improvement (a la Baldrige, Kaizen, Six Sigma, etc) appears to be the primary motivation. Security executives realize that much of the know how of security operations resides in the heads of its local security managers. In a hope to benefit from the sharing of this business intelligence, companies are using a variety of techniques (surveys, performance reviews, online forms) to gather it.

Least Aware of This Threat

Physical threats to information rose to the top of the list of issues about which CISOs and CSOs know the least.  Every security executive we interviewed had an understanding of physical threats to information (unauthorized visitors, dumpster diving, etc) but almost none had studied or measured the risks associated with physical threats to information, nor did they have in place thorough procedures to protect against it.

Least Prepared for This Threat

Two related concepts represent the threat for which nearly all security executives feel least prepared to address: Social engineering and physical penetration.  Every security executive confessed that confidential company information was as risk of social engineer attacks (phony phone conversations, pre-texting, impersonation, spear-phishing, etc.).  Physical penetrations were even more frightening to some executives who were certain that their confidential company information could be collected and conveyed out of the building (in the form of printed documents, photos, memory sticks, etc) by

  • an unauthorized visitor tailgating into the building
  • an attacker bypassing security controls at doors and fences
  • rogue employees or contractors
  • an internal attacker of any type

security_dreamer_high-res_4c

Scoring big in corporate dumpster diving

February 19, 2009 15 comments

Think your company takes data protection seriously? You may need to give it the dumpster diving test. This big bank was pretty surprised what I came up with.

http://www.viddler.com/player/da155f1a/

Follow

Get every new post delivered to your Inbox.