Compliance does not equal security
The effort to meet Level 1 PCI compliance reveals a new security mantra to our manager.
By Mathias Thurman | 12 Jan | Read more
The effort to meet Level 1 PCI compliance reveals a new security mantra to our manager.
By Mathias Thurman | 12 Jan | Read more
Looking out for your company can mean looking beyond the perimeter.
By Mathias Thurman | 14 Dec | Read more
A couple of worthwhile security initiatives will languish if staffers have no incentive to work on them. Solution? Tie them to bonus pay.
By Mathias Thurman | 29 Oct | Read more
SSO will bring several benefits, but our manager has to be prepared to address any security lapses that could accompany it.
By Mathias Thurman | 05 Oct | Read more
The annual security conference was a chance to go deep. But back in the office, how do you get 100% of the company’s employees to complete the security awareness training?
By Mathias Thurman | 02 Sep | Read more
We bought a next-generation firewall, as I had hoped we would. The real trick, though, was getting the IT department to take full advantage of all of its advanced functionality.
By Mathias Thurman | 18 Aug | Read more
The IT department was reluctant to take full advantage of the advanced functionality. So our manager annoyed them into compliance.
By Mathias Thurman | 17 Aug | Read more
Vulnerabilities can take many forms, and you can't expect to uncover them all unless you have a diverse portfolio of tools to help you in the hunt.
By Mathias Thurman | 03 Jul | Read more
For the past few weeks, I've been knee-deep in PCI compliance. <a href="http://www.computerworld.com/article/2883319/awareness-on-the-cheap.html">I have previously mentioned</a> that although my company's current credit card transaction volume doesn't require a full PCI audit, we have made a business decision to get the full PCI Report on Compliance, which entails hiring a qualified security assessor (QSA), submitting evidence, conducting a variety of qualified penetration tests and assessment scans and ultimately having an auditor spend about a week on site reviewing evidence and conducting in-depth testing of the 400-plus controls.
By Mathias Thurman | 24 Jun | Read more
One thing that we security managers can be sure of is this: There is no guarantee that our company will not suffer a security breach. In fact, the odds are increasing all the time, helped along by the proliferation of mobile devices, companies' heavy use of software as a service and the <a href="http://www.computerworld.com/category/consumerization/?nsdr=true">consumerization of IT</a>. And let's face it: Creating a culture that fosters innovation and attracts talent exacts a cost in defensibility.
By Mathias Thurman | 12 May | Read more
I mentioned in a previous article that we are using <a href="http://www.computerworld.com/article/2894450/making-the-case-for-security.html">a "loaner" Palo Alto Networks firewall</a>, with all the bells and whistles. Our testing led to all sorts of interesting discoveries, and I certainly hope that the executive staff will agree that the increased visibility makes this sort of new-generation firewall well worth the investment.
By Mathias Thurman | 09 Apr | Read more
Having been at my new company for several months now, this week I was invited to inform executive management about the state of our security. I had half an hour to formally introduce myself and talk about my philosophy, my initial findings and the priorities I think we need to have.
By Mathias Thurman | 11 Mar | Read more
You don't have to spend a lot of money on some information security initiatives. Take <a href="http://www.computerworld.com/article/2504968/cyberwarfare/security-awareness-can-be-the-most-cost-effective-security-measure.html">security awareness</a>, for example. You can get huge returns with small investments.
By Mathias Thurman | 13 Feb | Read more
Looking around at how things are done at my new company, it's pretty easy for me to find security problems lurking virtually everywhere.
By Mathias Thurman | 03 Dec | Read more
As I moved into the information security position at my new company a few weeks ago, I was anxious to do a full assessment of our security defenses. But I was immediately sidetracked by, not one, but two major vulnerabilities that couldn't be ignored. Those were fires that had to be put out before I could do anything else.
By Mathias Thurman | 28 Oct | Read more