As companies continue to shift data and resources to electronic formats, a trend growing faster year over year, information and cyber risks shift to the top of management’s priority list. This means that management must dedicate more resources – resources that don’t exist – to the management information risk. This shortage of human resources combined with an exponentially growing digital attack surface means companies must […]
I recently participated in a CIO round-table to discuss mechanisms in which management teams assess information technology risks. Almost all of the CIOs said they were performing regular risk assessments, but they also expressed a lot of concern that the assessments were performed consistently or with high quality. The major concern between the CIOs was that they didn’t have a realistic view […]
Nearly six months after the fact, I received a letter from the Office of Personnel Management notifying me that my information had officially been lost in the June 2015 breach.
To add insult to injury, I was never actually a federal government employee. A few years ago, I consulted on a […]
Penetration testing has become another hot, and often misused term in the marketplace, joining the ranks of other buzz words such as “Cybersecurity”, “Hacker” and “The Cloud”. Often times, organizations confuse penetration testing with vulnerability scans or security posture assessments (a.k.a risk assessment).
While penetration testing does include utilizing vulnerability scans and overlaps with security posture assessments, penetration testing encompasses a number […]
Electronics are becoming a commodity – there’s not much profit from selling cell phones or laptops anymore (unless you’re apple). So most companies are moving away from investing in hardware as their core business and shifting towards services. Services come in many shapes and sizes, but usually include consulting services, applications, or analyzing and selling customer data.
Customer data is where it becomes interesting. As […]
I have had several conversations with executives recently about the role of penetration testing and whether or not penetration testing is worth the risk? There seems to be two schools of thought on this issue. One side argues that pen testing is inherently more risky than the risk it’s trying to mitigate, the other side calls it necessary for security hardening. Here […]
Bridge the Gap Between Internal Audit & Enterprise Risk Management – Identify Business Drivers (PART 4)
Author’s Note: This series will help you build an ERM system that will bridge the gap between Internal Audit (IA) and Enterprise Risk Management (ERM).
Business Drivers are typically defined by executive management with guidance from the board of directors. From an internal […]
Join our IT Audit, Risk, and Compliance group on Linkedin.
The purpose of this group is to promote the exchange of ideas and resources within the IT audit, risk, and compliance profession. I hope this group can function as a clearinghouse for articles, resources, jobs, and most importantly be a […]
A recent post from Cyber Security Investigative Reporter, Brian Krebs, does a great job of reminding IT and Information Security professionals everywhere why proper Network Segmentation is so important.
The post, “Inside Target Corp., Days after 2013 Breach” goes into detail about how once criminals infiltrated Target’s corporate network, they were able to run free within the […]