TOP WEBINARS AROUND THE WORLD

InfoSecurity
PROFESSIONAL
MARCH/APRIL 2019
A Publication for the (ISC)2‰ Membership

TRUTH OR
Your users aren’t the only ones being
duped by fake posts and messaging

CONSEQUENCES

TALK TO ME
A former CISO discusses
how to speak cyber to
businesspeople

PROJECT MANAGEMENT
A different way to embed
cybersecurity during
product development

isc2.org facebook.com/isc2fb twitter.com/ISC2 linkedin.com/company/isc2 community.isc2.org

Achieve the CCSP – the Top Certification
Professionals Plan to Earn in 2019
For four years in a row, CCSP has topped Certification Magazine’s
Next Big Thing list as the No. 1 certification that annual salary
survey respondents plan to earn. Download the Ultimate Guide to
the CCSP to see how this premier credential can differentiate you
as a globally respected security leader.

Get Your Guide at:

www.isc2.org/CCSP-Ultimate-Guide
contents ¦¦¦ VOLUME 12 • ISSUE 2

PAGE 24 departments
4 EDITOR’S NOTE
Let’s Get Real
BY ANNE SAITA

6 EXECUTIVE LETTER
30 Years of Inspiring a Safe
and Secure Cyber World
BY DAVID SHEARER

8 FIELD NOTES
Accolades for the CISSP; top
(ISC)2 webinars in 2018; meet
the organization’s new EMEA
cybersecurity advocate; Steely
Dan founding member among
Secure Summit speakers;
recommended reading
and more.
features
14 #NEXTCHAPTER
THREATS (ISC)2 Northern Virginia

20 Truth or Consequences Chapter

It is becoming harder, even for seasoned cybersecurity
professionals, to discern what’s real and what’s fake. 16 ADVOCATE’S CORNER
BY JAMES HAYES Power to the People
BY JOHN McCUMBER

PROFESSIONAL DEVELOPMENT
33 CENTER POINTS

24 Watch Your Language

How to effectively engage ‘cyberignorants’ to gain buy-in
for your security wish list. BY ADAM WOJNICKI, CISSP
It’s All in the Numbers
BY PAT CRAVEN

34 COMMUNITY
MANAGEMENT Chipping Employees

28 Cybersecurity’s Project Management Impact

How cybersecurity can impact project management.
BY CHIP JARNAGIN, MBA, CISSP, PMP, CSM,
Members weigh in on
whether a voluntary
chip program is worth
AND JAIME B. SAINZ, MBA, CISSP, CISM, PMP the potential backlash.

Cover illustration: GORDON STUDER Illustration above: TAYLOR CALLERY 4 AD INDEX

InfoSecurity Professional is produced by Twirling Tiger ‰ Media, 7 Jeffrey Road, Franklin, MA 02038. Contact by email: [email protected]. The information contained in
this publication represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC)2® on the issues discussed as of
the date of publication. No part of this document print or digital may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form by
any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. (ISC)2, the (ISC)2
digital logo and all other product, service or certification names are registered marks or trademarks of the International Information Systems Security Certification
Consortium, Incorporated, in the United States and/or other countries. The names of actual products and companies mentioned herein may be the trademarks of
their respective owners. For subscription information, please visit www.isc2.org. To obtain permission to reprint materials, please email [email protected].
To request advertising information, please email [email protected]. ©2019 (ISC)2 Incorporated. All rights reserved.

RETURN TO
InfoSecurity Professional | 3 | March/April 2019 CONTENTS
 editor’s note ¦¦¦ by Anne Saita

(ISC)2 MANAGEMENT TEAM

EXECUTIVE PUBLISHER
Timothy Garon

Y
571-303-1320
[email protected]

Let’s Get Real SENIOR MANAGER, CORPORATE

COMMUNICATIONS
Jarred LeFebvre
727-316-8129
[email protected]
YEARS AGO, when I was an adjunct instructor at a major American univer- CORPORATE PUBLIC
sity, I saw a request on an education listserv (remember those?) and struck RELATIONS MANAGER
Brian Alberti
up an email conversation with a professor trying to connect students with 617-510-1540
professionals in the field. The email address looked legit, so I passed on [email protected]
her request to an old college friend willing to assist. I thought nothing of it SENIOR CORPORATE
until months later, when I got a call from that friend letting me know the COMMUNICATIONS SPECIALIST
professor didn’t exist. Something in one of the emails felt off, he said, so he Kaity Eagle
727-683-0146
did some digging and discovered we’d both been part of some scam with an [email protected]
elusive endgame.
MANAGER, MEDIA SERVICES
“Aren’t you, of all people, supposed to not fall for this kind of thing?” he Michelle Schweitz
said. By then I was about five years into covering the information security 727-201-5770
industry, and I took that comment badly. [email protected]

This issue’s cover story on how to find credible sources in an era of EVENT PLANNER
disinformation touches on something similar. We’ve written in previous Tammy Muhtadi
727-493-4481
issues about the ongoing success of sophisticated phishing and vishing, but [email protected]
mainly by pointing to the end users that (ISC)2 members serve. This time,
we look more inward. As BeyondTrust’s Brian Chappell SALES

notes, “While security professionals [as individuals] are— VENDOR SPONSORSHIP

Lisa Pettograsso
generally—less likely to fall prey to cyberattacks, they are [email protected]
far from invulnerable, and certainly not immune.”
It’s my hope that after reading James Hayes’ article, EDITORIAL ADVISORY BOARD

each of you will reconsider some of the ways you too can Anita Bateman, U.S.

be exploited, especially as more LinkedIn-type solicitations Kaity Eagle, (ISC)2

Jarred LeFebvre, (ISC)2
show up in your inbox due to a growing global cybersecu-
Yves Le Roux, EMEA
rity labor shortage. In our other features, you also may pick
Cesar Olivera, Brazil and Canada
up some great tips for embedding security in projects, both
planned or underway, and learn the language of business TWIRLING TIGER MEDIA
Anne Saita, editor-in- from a former CISO to better engage with other units EDITORIAL TEAM
chief, lives and works EDITOR-IN-CHIEF
on the U.S. West Coast. within an organization. Anne Saita
She can be reached at As always, feel free to let me know what you think and [email protected]
[email protected]. what you’d like to see more of in future magazine features. • ART DIRECTOR & PRODUCTION
Maureen Joyce
[email protected]

MANAGING EDITOR
Deborah Johnson

EDITOR
ADVERTISER INDEX Paul South
For information about advertising in this publication, please contact Vendor Sponsorship:
PROOFREADER
Lisa Pettograsso, [email protected].
©Rob Andrew Photography

Ken Krause
(ISC)2 Certifications..............................................2 (ISC)2 Secure Summit LATAM........................ 17 Twirling Tiger ‰ Media
(www.twirlingtigermedia.
(ISC) Security Congress.....................................5
2
(ISC)2 Secure Summit EMEA..................... 18-19
com) is certified as
(ISC)2 Secure Summit DC...................................7 (ISC)2 Secure Summit APAC........................... 35 a Women’s Business
Enterprise (WBE) by
Vulnerability Central........................................... 11 EMEA InfoSec Europe....................................... 36 the Women’s Business
Enterprise National Council (WBENC).
Penn State.............................................................. 13 This partnership reflects (ISC)2’s
commitment to supplier diversity.

RETURN TO
InfoSecurity Professional | 4 | March/April 2019 CONTENTS
 EARLY BIRD
PRICING
through August 15
Oct. 28 - 30 • Orlando, FL • Swan & Dolphin
(ISC)² Members 4000+ Attendees Earn up to
SAVE $200 & 100+ Sessions 46 CPEs
All Access Pass Benefits:
• Educational Sessions, Keynotes • Town Hall & Career Center
& Workshops • Networking Night
• Networking Luncheons • CSA Summit &
• Expo Hall Expo Hall Pub Crawl

SAVE $50
Off All Access Pass
with code:

INFOSECD18
REGISTER TODAY!

congress.isc2.org
#ISC2Congress
 executive letter ¦ ¦ ¦ THE LATEST FROM (ISC)2’S LEADERSHIP

30 Years of Inspiring a

H
Safe and Secure Cyber World
by David Shearer

HARD TO BELIEVE, but this year marks our 30th Helping to Keep Families Safe Online
anniversary. As we approach 150,000 members The nonprofit Center for Cyber Safety and Education
worldwide, I wanted to reflect on what we’ve continues to expand all its Safe and Secure Online
accomplished recently and where we’re heading. educational and scholarship programs around the
world. The award-winning Garfield cyber safety
Improved Online Security and Platforms education program for children has been proven
We added multifactor authentication as an addi- to increase cyber safety knowledge by 28 percent.
tional layer of security to our members’ online (ISC)2 The materials for parents and seniors are currently
accounts, along with an improved web-based member available in eight languages and the Center’s goal is
dashboard. The upgrades are part of a huge digital to have them in 30 languages this year.
transformation that took place largely in 2018 so
members can better manage their memberships, Workforce Gap and Additional Industry Research
leverage (ISC)2 benefits and engage with our staff. Our latest Cybersecurity Workforce Study found
the cybersecurity skills shortage growing to a 2.93
(ISC)2 Security Congress Moves to Orlando million global gap. But our research is focused on
This year’s annual Security Congress will be held more than the gap as we examine challenges fac-
Oct. 28 to 30 at the Walt Disney World Swan and ing the profession to find solutions for not just the
Dolphin Resort in Orlando. After two back-to-back profession, but the professional. Other 2018 research
sold-out conferences, we wanted a larger venue in a reports include Building a Resilient Cybersecurity
city with an international-travel-friendly airport so Culture and Hiring and Retaining Top Cybersecurity
more members from around the globe can attend. Talent.
Orlando fits that bill and will be the home of
Security Congress for years to follow. Registration Think Tank Webinar Channel Lauded
is open now, so make plans to join us in Florida later The (ISC)2 Think Tank webinar channel, which fea-
this year! tures 60-minute roundtable discussions with indus-
try experts, last year was named “Highest Growth
New Advocates in Asia-Pacific and EMEA Channel” in the IT category by BrightTalk. If you’re
Tony Vizza, CISSP, joined our team as Director of not already taking advantage of these free webinars,
Cybersecurity Advocacy, Asia-Pacific. I highly encourage you to do so.
With more than 25 years of experi-
ence, Tony is focused on educating Look for More Professional
the public and private sectors about Development Opportunities
the need for stronger cybersecu- A key focus for (ISC)2 this year is professional devel-
rity training, policies and recruit- opment. We want to ensure that all of our material
ment. Mary-Jo de Leeuw recently is deeply enriching to members’ careers, no matter
joined (ISC)2 as our Director of where they are in their journey. We debuted multiple
Cybersecurity Advocacy, EMEA. new courses last year that are free to (ISC)2 members
Last year, she was ranked as one of and will introduce more courses later in 2019.
David Shearer is CEO of the U.K.’s 50 most influential women We hope to see many of you throughout the year at
(ISC) . He can be reached
2 in cybersecurity, and we are thrilled our (ISC)2 Secure Summits and at Security Congress
at [email protected]. to have her as part of our team. in October. •

RETURN TO
InfoSecurity Professional | 6 | March/April 2019 CONTENTS
 SUMMIT / DC

Defining Cybersecurity in 2019

Join us at (ISC)² Secure Summit DC for two days
of insightful discussion, workshops and best-practices
sharing. Focused on Defining Cybersecurity, the
event will address our profession’s greatest
challenges and effective new approaches for
preparing and defending national cybersecurity
in today’s workforce.

Secure Summit DC 2019

will feature these tracks:
• The Profession and
Your Responsibilities
• Threats
• New Technologies
Why You Should Attend
• Industrial Control Systems
• Gain tools and resources to
become a more effective and • IoT
well-rounded practitioner
• Complement broad understanding
of cybersecurity strategies
and principles
• Strengthen your organization’s
security posture

Register Now
• Network with like-minded
professionals
• Earn valuable CPE credits
 field notes ¦ ¦ ¦ EDITED BY DEBORAH JOHNSON

A ROUNDUP OF WHAT’S HAPPENING IN (ISC)2 COMMUNITIES

Accolades for the 2019 Key IT

(ISC)2 CISSP Certification Investments

Business Intelligence/Data Analytics

T
Cyber/Information Security
Cloud Services
Core System Improvements
Digital Business Initiatives

HE (ISC)2 CISSP is “one of the best known and most Customer/User Experience
widely respected cybersecurity certifications of them Artificial Intelligence/Machine Learning
all….” That praise is the opening salvo to Certification Source: CIO from IDG, 7 Key IT Investments for
Magazine’s review of the CISSP certification, Salary 2019 (and 3 Going Cold)
https://www.cio.com/article/3328685/budget/
Survey Extra: Deep Focus on (ISC)2’s CISSP.

2
hot-and-cold-tech-investments-budget-trends.html
The 2018 Salary Survey placed the CISSP at No. 20, with an annual aver-
age salary for certificate holders of $131,030 in the United States and $90,640
(USD) for non-U.S. respondents. Nearly 70 percent of the U.S. respondents
reported being satisfied with their salary; the magazine did not cite the
percentage of non-U.S. respondents.
When it comes to demographics,
READ. QUIZ. EARN.
80 percent of the the CISSP cuts a wide swath. The
respondents agree[d] survey noted the “progressive” makeup Earn Two CPEs for
that “since becoming of the certification holders, with 10.2 Reading This Issue
percent women. The age breakout
certified, I feel there shows that most (89 percent) of the
Please note that (ISC)2 submits CPEs
for (ISC)2’s InfoSecurity Professional
is a greater demand respondents are in prime working age: magazine on your behalf within five
between the ages of 35 and 44 (25.1 business days. This will automatically
for my skills.” percent), 45 and 54 (39.1 percent), assign you two Group A CPEs.
or 55 and 64 (29.1 percent). Note: To access this members-only
The survey also revealed that CISSP holders experience the value of the platform and quiz, you’ll need a Blue Sky
certification, with more than 80 percent of the respondents agreeing that account. If you don’t have an account, go
to the Blue Sky homepage via the link and
“since becoming certified, I feel there is a greater demand for my skills.” click on “Create User Profile” in the upper
More than half (59.6 percent) agreed that “becoming certified has increased
Images: iStock

right-hand corner.
my workplace productivity.” https://live.blueskybroadcast.com/bsb/client/
To view the complete results of the survey, visit http://certmag.com/salary- CL_DEFAULT.asp?Client=411114&PCAT=7777&-
CAT=10803
survey-extra-deep-focus-isc2s-cissp/. •

RETURN TO
InfoSecurity Professional | 8 | March/April 2019 CONTENTS
 ¦¦¦ field notes

Top Webinars for 2018*

Webinars produced by (ISC)2 in collaboration with a project sponsor
*Ranked by view rating

NORTH AMERICA
TITLE SPONSOR LINK

The Workforce Gap Widens: The Need (ISC)2 https://www.isc2.org/en/News-and-Events/

to Focus on Skills Development Webinars/Security-Briefing?commid=338201
The Hunt for IoT and Its Threat to Modern Life F5 https://www.isc2.org/en/News-and-Events/
Webinars/Security-Briefing?commid=304619
Levers of Human Deception: Science & KnowBe4 https://www.isc2.org/en/News-and-Events/
Methodology of Social Engineering Webinars/Security-Briefing?commid=334390
Threat Detection in TLS: The Good, Bad & Ugly Gigamon https://www.isc2.org/en/News-and-Events/
Webinars/Security-Briefing?commid=321233
Information Security: Organizational 451 Research https://www.isc2.org/en/News-and-Events/
Dynamics Webinars/Security-Briefing?commid=315933

EMEA
TITLE SPONSOR LINK

Machine Learning in Infosec: Debunking Buzz Spunk https://www.isc2.org/News-and-Events/Webi-

and Demystifying Use Cases nars/EMEA-Webinars?commid=332973&top10
TLS Decryption: Critical to Detecting Threats Gigamon https://www.isc2.org/News-and-Events/Webi-
nars/EMEA-Webinars?commid=334809&top10
Enriching Your Security Product Stack Infoblox/Logicalis https://www.isc2.org/News-and-Events/Webi-
With the Power of IPAM and DNS nars/EMEA-Webinars?commid=337164&top10
GDPR Compliance – Don’t Let Your SIEM Splunk https://www.isc2.org/News-and-Events/Webi-
Be Your Downfall nars/EMEA-Webinars?commid=304791&top10
As Attackers Evolve, So Must Machines: Carbon Black https://www.isc2.org/News-and-Events/Webi-
Advancing Machine Learning Beyond the Hype nars/EMEA-Webinars?commid=307351&top10

APAC
TITLE LANGUAGE SPONSOR LINK

State of the Internet/Security 2018: Chinese Akamai https://www.isc2.org/News-and-Events/Webi-

Web Attacks and a Case Study of Effective Technolo- nars/APAC-Webinars?commid=341849
Bot Management gies
Control Digital Data and Make a Business: Japanese Symantec https://www.isc2.org/News-and-Events/Webi-
A Key Point for Achieving 100% Utilization nars/APAC-Webinars?commid=339836
of the Cloud and Compliance
Cyber Exposure: Insights into Security Risks/ Chinese Tenable https://www.isc2.org/News-and-Events/Webi-
Vulnerability Situation Analysis nars/APAC-Webinars?commid=335578
Protecting Your Organization Inside Out Using English Akamai https://www.isc2.org/News-and-Events/Webi-
Identity Technolo- nars/APAC-Webinars?commid=340708
Image: iStock

gies
Security at Network Speeds English Gigamon https://www.isc2.org/News-and-Events/Webi-
nars/APAC-Webinars?commid=312817

RETURN TO
InfoSecurity Professional | 9 | March/April 2019 CONTENTS
 ¦¦¦ field notes

(ISC)2 Names New Cybersecurity Steely Dan Founding

Member Among
Advocate for the EMEA Region Keynotes at (ISC)2

M
Mary-Jo de Leeuw is an award-winning cybersecurity leader
Secure Summit DC
Jeffrey “Skunk” Baxter, national
security expert and founding
member of the band Steely Dan,
ARY-JO DE LEEUW, recently
will be one of two keynote speakers
ranked as one of the U.K.’s
at Secure Summit 2019 held April
50 most influential women
23 and 24 at the Washington (D.C.)
in cybersecurity, has joined
Hilton Hotel.
(ISC)2 as its Director of Cybersecurity Advocacy for The other keynote will be deliv-
the Europe, Middle East and Asia (EMEA) region. ered by Tiffany Olson Kleemann,
As an advocate, de Leeuw will work to encourage chief executive officer of Distil
cybersecurity collaboration in developing strong cybersecurity policies, legis- Networks and a member of the
lation and education in the EMEA region. (ISC)2 Board of Directors.
“As our recent research shows, our industry has a long way to go to narrow More than 80 professionals
the cybersecurity workforce gap,” said (ISC)2 CEO David Shearer, CISSP. from the public and private sectors
“That’s where Mary-Jo’s experience will be so helpful to our membership. will be on hand to lead discussions
Her background is not only as a strategic consultant herself but as a commu- and workshops, sharing expertise
nity builder and connector of women in business around the world. We need and insight on key issues facing
more women driving the conversation and Mary-Jo has a proven track record the cybersecurity community.
of creating interest and excitement around cybersecurity.” This year’s Summit focus is
De Leeuw joins (ISC)2 after serving “Defining Cybersecurity” and
as an associate partner for cybersecu- will feature four distinct tracks:
“Ever since my first rity and innovation at Revnext, a Dutch
• The Profession
Commodore 64, I’ve high-tech consulting firm that advises
executive management of governments, • Threats
been fascinated by listed companies and NGOs. • New Technologies
bits and bytes and Based in The Hague, The • Industrial Control Systems
the implications of Netherlands, de Leeuw will report and IoT
to (ISC)2 Managing Director for EMEA
cybersecurity on Deshini Newman. “As we continue “(ISC)2 Secure Summit DC
how we connect.” our vision to make a difference in the is a tremendous opportunity for
region, it’s vital to have strong leaders cybersecurity leaders in government,
—Mary-Jo de Leeuw
like Mary-Jo join our mission to inspire military, industry and academia to
a safe and secure cyber world,” said come together for networking and
Newman. “Her insights globally will be a great asset for (ISC)2 in the EMEA educational sessions that will help
region as we serve our growing membership.” them broaden their cybersecurity
“Ever since my first Commodore 64, I’ve been fascinated by bits and bytes strategy toolbox,” said Brian Correia,
and the implications of cybersecurity on how we connect,” said de Leeuw. managing director for North America,
“I can’t think of a better avenue for devoting my energy than promoting the (ISC)2.
cybersecurity industry with (ISC)2 and creating opportunities for those who Attendees will earn 18 Continuing
are interested in joining the profession.” Professional Education (CPE) credits.
De Leeuw holds a bachelor’s degree in information technology from To register for Secure Summit
the University of Applied Science, Utrecht. She is a winner of a European DC, visit https://web.cvent.com/
Cybersecurity Excellence Award 2018 and was ranked 10th among 50 global event/036c40ab-432b-4af1-
influencers for Europe. She was also ranked No. 10 by IFSEC International ae86-f5a43d6ef9fc/websiteP-
and received the global “Iconic Women 2017, Creating a Better World for All” age:826f4417-ca67-4598-b662-
award during the 2017 World Economic Forum in The Hague. • 25c5ac6e37da. •

RETURN TO
InfoSecurity Professional | 10 | March/April 2019 CONTENTS
 ¦¦¦ field notes

(ISC)2 Richmond Metro Chapter

Rises to the Challenge
WHEN IT COMES TO CHALLENGES, fundraising can be
one of the most difficult. The Richmond Metro (Virginia)
Chapter deserves a shout-out for successfully tackling the
most recent (ISC)2 Scholarship Challenge. Participating
chapters are asked to raise at least $1,500, $750 of which is
earmarked for the Center for Cyber Safety and Education’s Richmond Metro Chapter
Fundraising Committee:
scholarship fund. Education’s Chapter Scholarship
From left, John Styles,
Since the chapter’s inception in 2016, the members have Challenge aligns perfectly with membership chair;
raised more than $12,000 and awarded 10 scholarships to [our] chapter’s mission to foster Michael Stapleton, trea-
area high school students. The chapter partners with local the next generation of cyberse- surer; Ivan Gil, president;
and Chris Schurman, vice
companies and organizations, area schools and its own curity professionals. As such, we
president.
membership to raise money. In 2018 alone, $5,750 was expect to continue volunteering
raised, with five $1,000 scholarships awarded. for the challenge every year that it remains available.”
Chapter Vice President Chris Schurman, CISSP, For more information on the scholarship challenge,
GWAPT, CEH, says that the scholarship challenge is one see https://iamcybersafe.org/scholarships/chapter-scholar-
they take on happily. “The Center for Cyber Safety and ship-challenge/. •

VULNERABILITY CENTRAL

Start tracking the vulnerabilities

keeping you up at night
This exclusive, members-only
resource aggregates, categorizes
and prioritizes vulnerabilities
affecting tens of thousands
of products.

Create a customized feed filtered

by the vendors, technologies
and keywords that are relevant
to your interests.

Visit: vulnerability.isc2.org

Free to (ISC)² members through the member portal,

no new account required.

RETURN TO
InfoSecurity Professional | 11 | March/April 2019 CONTENTS
 ¦¦¦ field notes

¦¦¦ RECOMMENDED READING

HUMAN ELEMENT
Suggested by Larry Marks, CISSP, CISA, CISM, CFE, PMP, CRVPM, CRISC, CGEIT, ITIL

50


Effective Threat Intelligence:
Building and Running an Intel
%
Team for Your Organization
By James Dietle
of data breaches involve
an insider threat

F
(CreateSpace Independent Publishing, 2016)
Revealed in a review of 7,800 data breaches
Source: McKinsey & Company, Insider threat:
The human element of cyberrisk
https://www.mckinsey.com/business-functions/
risk/our-insights/insider-threat-the-human-ele-
ment-of-cyberrisk
OR AN ORGANIZATION seeking to
build a threat intelligence program
and develop its security operations
center (SOC) team, Effective Threat
Intelligence offers clear and methodical guidance. Author SPENDING SPREE
James Dietle educates the user in the basic steps: defining requirements,

$57.6

locating data, establishing a timeline, and identifying risks and threat vectors
affecting the firm, all in a calm, controlled, no-nonsense manner.
While many firms are experiencing growing pains attempting to quantify
threats, controls and risks impacting them, there are also a variety of vendors
selling threat solutions, which may or may not be compatible with an organi-
zation’s needs.
The strength of this book is that Dietle
BILLION IN 2021
helps readers understand and define their Forecast for worldwide
The strength initiatives. Like any other program, he
understands that it is a journey and not
spending on cognitive
and artificial intelligence
of this book a race and presents a maturity program
(AI) systems
from level one—with the absence of a
is that Dietle plan for threat intelligence—to level five, Source: IDC,Worldwide Semiannual Cognitive
Artificial Intelligence Systems Spending Guide
a developed plan with a dedicated intelli-
helps readers https://www.idc.com/getdoc.jsp?container-

“
gence team. Id=prUS43095417

understand Missing from this book is a contact list

of the data feeds and available tools in the
and define marketplace (though that material might
be dated given the book’s 2016 publication In 2019, cybersecurity
their initiatives. date). And Effective Threat Intelligence may
engineers will be the
not be the right guide for all, as it does not
offer a “quick fix” or step-by-step instruc- best-paid, most recruit-
tions. Rather, it enables the reader to explore the options based on budget and
long-term needs. ed tech professionals
For me, the book gave me food for thought and showed me that for a new as organizations
field, it is up to the professional to define requirements and perform a proof
of concept on the software that is either purchased or built. • struggle to fill vacant
cybersecurity
The author of Recommended Reading did not receive financial compensation from the book positions.”
publisher, nor a free copy of this book. All opinions are his alone. —Jan. 9 (ISC)2 blog post

RETURN TO
InfoSecurity Professional | 12 | March/April 2019 CONTENTS
19
- W
C-
09
85
/sm
s/b
jm

Earn your Cybersecurity

degree online from a
recognized leader
Visit Penn State at
RSA booth #4520
worldcampus.psu.edu/isc2

A world of possibilities. Online.

 #nextchapter ¦ ¦ ¦ EDITED BY DEBORAH JOHNSON

¦¦¦ (ISC) 2 NORTHERN VIRGINIA CHAPTER

New Chapter Serving Metro D.C. Is Up and Running

Combining strong community support and member opportunities provides a boost

NOVA members at the chapter

bylaws ratification meeting.

S INCE BECOMING AN OFFICIAL CHAPTER

last summer, (ISC)2 Northern Virginia
(NOVA) has pursued a variety of oppor-
tunities for members to connect, educate,
inspire and secure. To get a firsthand look at (ISC)2 in
action, some of the chapter’s board members met with
(ISC)2 employees and trainers in the Alexandria office.
Chapter members practicing their
lockpick skills at a Tech Talk event.

Discussions about certifications and professional develop-

ment courses gave the chapter leaders exciting and relevant
information to bring back to the membership.
Last fall, the NOVA Chapter engaged members in three
diverse chapter events. Speakers from Walmart Labs and
Freddie Mac shared their concerns and activities in infor-
mation security. In addition to the formal presentations,
the chapter also hosted a “Tech Talk” installment at Nova
Labs in Reston. The talks offer members the opportunity
to network and learn new skills in a more informal setting.
These events give chapter members a variety of both
hands-on and lecture-style CPE opportunities.
The chapter has been fortunate to have gracious hosts
to provide facilities for the larger meetings, while the board
has been very busy working on building a tech stack and
supporting processes to help fulfill the needs of a growing
(ISC) NORTHERN VIRGINIA CHAPTER
2 chapter with some 170 charter members. The chapter could
not do it without its amazing sponsors such as Capital One,
Contact: Dan Waddell, President, (ISC)2 Northern Virginia
CrossCountry Consulting, Cyxtera, IT Availability, RPM,
Email: [email protected] South 6 and Zeneth.
Website: https://novaisc2chapter.org (ISC)2 NOVA has gotten a strong start and looks forward
Twitter: @NOVAISC2CHAPTER to bringing even more opportunities for members to con-
nect, educate, inspire and secure in the years ahead. •

RETURN TO
InfoSecurity Professional | 14 | March/April 2019 CONTENTS
 ¦¦¦ #nextchapter

Q&A
members, which we submit on their behalf.
I’m also very excited to launch our “intern” membership
program this year, which allows undergrads an opportunity
to join the chapter for free. We developed this program in
response to the data we have seen in the last few (ISC)2
Dan Waddell workforce reports, which continually highlight the need
to get more younger professionals into our career field.
President, (ISC)2 Northern Virginia Chapter
What kind of feedback are you getting from members
Your chapter has strong corporate partnerships. What to the events the chapter presents? Have you seen
advice do you have for other chapters for recruiting membership grow as a result?
sponsors and lining up corporate partners? We had good attendance at our initial meetings in
First, make sure you are adding value to your sponsors. We November and December. Plus, we’ve had a number of
are fortunate to have one of the largest recent additions to our board—all of
concentrations of (ISC)2 members in the whom have hit the ground running.
world here in Northern Virginia, which The chapter has set a goal to hit 200
gives our sponsors a unique opportunity members this year, and each month
to engage with members and speakers there’s been an increase, so I’m confi-
from all aspects of cybersecurity. Also, dent we’ll reach and exceed our goal
appoint or vote in someone to join the by the end of 2019.
board and lead the overall sponsorship
effort; empower that person to make What is the biggest challenge in
decisions and give them the resources keeping the membership engaged
they need to accomplish the mission. and the chapter relevant?

How does the chapter develop the

“I’m also very excited With such a large group, there’s always
the challenge of finding meeting space
various programs you offer? to launch our ‘intern’ to host and then executing the logistics
All members of the board are involved membership program necessary to pull off an event that our
in developing our programs, but they’re members can be proud of. We’ve been
based on input we get directly from our
this year, which fortunate enough so far to find local
members. We’re still relatively new, but allows undergrads an organizations such as Fannie Mae,
we’ve been able to offer monthly meet- opportunity to join Freddie Mac and Capital One to host
ings that feature speakers in an engaging and, of course, having dedicated and
lecture-style/Q&A session as well as the chapter for free.” passionate board members to pull it
more technical hands-on meetups. Both —Dan Waddell off and making sure we are giving
formats offer CPE opportunities for our value back to our chapter members. •

Bad Work FOOTLOOSE FANCY FREE

Habits Survey

62 66


Based on responses from 600

small business employees

Source: Switchfast, Cybersecurity Mistakes

% %
All Small Business Employees Make
https://cdn2.hubspot.net/hubfs/1747499/Con- of respondents say they use of respondents say they connect
tent%20Downloads/Switchfast_SMB_Cyberse-
curity_Report.pdf their work computers to access to public Wi-Fi to do work
personal social media accounts

RETURN TO
InfoSecurity Professional | 15 | March/April 2019 CONTENTS
 advocate’s corner ¦ ¦ ¦ MUSINGS ON SECURITY ISSUES THAT IMPACT MEMBERS

I
Power to the People
by John McCumber

I RECENTLY COMPLETED another round of meetings integration of a complex yet rapidly aging technology
on Capitol Hill. My days with the nation’s movers and capability.
shakers are always busy and fraught with frustration. Fast forward to my recent meetings. A critical yet
One vexation is the natural inclination of legislators poorly understood cybersecurity problem that has
to try to address all our national concerns with, well, recently come to light is election security. Naturally,
legislation. It’s the old saw about your only tool being Congress would like to attack this important issue
a hammer. I guess they all mean well, but bill authors head on. Over the last two years, it has handed the
often create as many (if not more) problems than they responsibility to DHS, but with little in the way of
solve. Take cybersecurity, for instance. resources. I had a chance to ask Congressional staffers
I can fill a library with ill-fated laws, regulations, how they intended to empower a centralized D.C.-
edicts, directives, injunctions, doctrines, tenets and based organization to provide adequate services to all
guidance designed to help set the standards for what the states and territories and all the different technol-
we now call cybersecurity. Many of them started ogies used across those states and their local gov-
with the assumption that cybersecurity was just like ernments to tabulate votes. That drew a shrug from
security, but with more cybery stuff. Sadly, it’s not across the table. I suggested a more focused solution.
that simple.
One key problematic area remains a thorn in
the side of federal, state and local authorities. It’s I can fill a library with ill-fated
the result of legislation that mandates activities or
outcomes without providing any resources needed
laws, regulations, edicts, direc-
to enact them. In fact, these new pronouncements tives, injunctions, doctrines,
rarely even acknowledge that an investment of
resources will be required. We refer to these as
tenets and guidance designed
“unfunded mandates.” When these appear in to help set the standards for
legislation, affected departments and agencies
are quick to fight back.
what we now call cybersecurity.
Legislators have lately become more sensitive to
unfunded mandates, so some recent “Have you considered empowering the people in
proposals have included the idea those government agencies and departments to do
that federal agencies charged with the job themselves?” I asked.
national cybersecurity responsibili- “Well, I don’t think they have the necessary skills
ties will need to be funded to deliver and knowledge,” was the expected reply.
new, ostensibly more secure, capa- “Precisely,” I said, “People are the missing factor.
bilities where they are needed. One You try to deal with technology, policy and proce-
such effort saw the Department of dures, but you leave out the most critical factor:
Homeland Security (DHS) deploy people. Provide workers with the knowledge tools
massive state-level intrusion detec- they need for the 21st century and let them make
Photograph: iStock

tion and prevention technology to the best decisions from their perspective. We all win.”
John McCumber is
all American states and territories. Well, the jury is still out on whether my sugges-
director of cybersecurity
advocacy at (ISC) .2 It became a maddening mess as the tions will find their way into upcoming legislation.
He can be reached at (un)lucky recipients of this federal Keep an eye on the news coming out of Washington
[email protected]. largesse had to manage the technical and let me know what you see. •

RETURN TO
InfoSecurity Professional | 16 | March/April 2019 CONTENTS
 SUMMIT / LATAM
#ISC2LatamSummit

Join us at the (ISC)² Secure Summit LATAM 2019

September 25-26 | Hotel Camino Real Polanco, Mexico City

The event will offer educational sessions presented by

thought-leadership experts from all over the region and abroad.

Come share best practices and knowledge and meet

your peers in a relaxed learning atmosphere.

(ISC)² members can earn up to 16 CPEs

latamsummits.isc2.org

REGISTER NOW
(ISC)2 Secure Summit LATAM | September 25-26, 2019 | Mexico City
 http://securesummits.isc2.org

(ISC)2 Secure Summit EMEA 2019

The 2019 Secure Summit EMEA will be a unique experience, taking place 15-16 April 2019 at (ISC)² Information Security Leadership Awards (ISLA) EMEA 2019
the World Forum, the largest international conference venue in The Hague, Netherlands. The
The ISLA EMEA awards distinguishes information security and management professionals for
pre-Summit day on 14 April will also feature three deep-dive workshops, enabling delegates to
exceptional leadership and achievements in workforce improvement.
learn from the most experienced and brightest in our profession.

2019 AWARD CATEGORIES:

REASONS TO ATTEND
• Senior Information Security Professional
• 40+ sessions, six themed tracks
• Information Security Practitioner
• Deep dive workshops
• Up-and-Coming Information Security Professional
• Simulation exercises and immersive interactive activities
• Woman Information Security Professional
• Town Hall session with the (ISC)2 leadership team
• Networking opportunities
Finalists and winners will be recognized by 400+ like-
• Earn up to 24 CPEs: 50% more than previous events
minded industry professionals at the Awards Ceremony
lunch on 15 April, during the (ISC)² Secure Summit
Keynotes EMEA 2019.
At the (ISC)2 Secure Summit EMEA, you will hear from thought-provoking, inspiring and
industry-leading speakers. Supporting the conference sessions will be a series of keynote
Have any questions?
speakers including:
Need more information?
Contact [email protected]

Dr. Jessica Barker, Lorna Trayan, Felicity Aston, Joseph Carson,

Co-Founder, co-CEO, Strategy Leader, MBE, British Polar Explorer, Chief Security Scientist &
Cygenta IBM Security Services MEA Scientist, Author Advisory CISO, Thycotic

Register to attend now at: http://securesummits.isc2.org

¦¦¦ THREATS

Truth or
Consequences
BY JAMES HAYES

It is becoming harder, even WHEN ENTREPRENEUR ELON MUSK took to

Twitter to call for a website “where the public can
for seasoned cybersecurity rate the core truth of any article and track the
‘credibility score’ over time of each … publication,”
professionals, to discern he was tapping into wider concerns about how
online media now routinely carries misinformation,
what’s real and what’s fake falsehoods and fabrications.
The issues of misinformation and disinformation
have risen sharply in recent years due to geopo-
ILLUSTRATION BY GORDON STUDER litical campaigns now known to have influenced

RETURN TO
InfoSecurity Professional | 20 | March/April 2019 CONTENTS
democratic elections around the world. Disinformation rity organizations and experts yields much kudos for the
campaigns also resonate sharply in enterprise IT security, attackers.”
where speed-to-action prompted by alerts and notifications Indeed, the very status of their role makes security
from diverse sources can make critical differences in defen- specialists an attractive “trophy challenge” to cybercrim-
sive counteraction to cyberattacks. inals, agrees Rafael Amado, senior strategy and research
In this era of disinformation, unmediated sources of analyst at risk management firm Digital Shadows:
threat intelligence like social networks, web forums and “Infosecurity professionals specialize in learning about,
newsfeeds can deliver misguided and misleading infor- detecting and defending against cyberthreats, and in min-
mation mixed in with actual alerts and malware trends. imizing the risks to their organizations. It would be very
Cunning cybercriminals leverage ways in which they can naive for anyone to assume that they won’t be targeted.”
use such channels to target IT security personnel for a Overconfidence can also cause security professionals
multiplicity of malicious motives. to take additional risks, says Adedayo Adetoye, principal
So, what’s an information security specialist—or anyone strategic security engineer at Mimecast, a Lexington,
in IT, for that matter—supposed to do to not fall victim to Mass., firm that specializes in email security: “Antivirus
increasingly sophisticated phishing or social media scams researchers, for instance, often don’t want to work through
and fake threat intelligence reports or fraudulent security AV tools that might interfere with their research [and so
alerts? deactivate them]. Similarly, network security teams might
turn off their firewalls for R&D purposes.”

EVERYONE’S VULNERABLE TO BEING DUPED

Spear phishing aimed at specific professional profiles TAILORED ATTACK TYPES
has risen sharply, says Kaspersky Lab, which reported IT security professionals will not be surprised to discover
a 27.5 percent increase during Q3 2018. That amounted that, like every other connected colleague in their organi-
to more than 137 million attempted phishing attacks— zations, they will likely be targeted by online threat actors.
equal to the number aimed at online payment systems, What might come as more of a revelation is the forethought
and only 8 percent less than the number of such attacks and craftiness cybercriminals apply to tailoring attacks to
aimed at banks. their specific job profiles. Examples include:
The rapid change dynamics of the information and • Counterfeit email invitations to real industry events
communications (ICT) sector also provides ideal conditions (e.g., conferences)
for cybercriminals to perpetrate fraud and fakery around
“breaking” news. “As new technological and informational • Inducements to download free insight collateral
updates appear, phishers exploit them,” cautions Kaspersky (e.g., reports, infographics)
Lab security researcher Nadezhda Demidova. • Blog posts on bogus “breaking news”
For those who work in cybersecurity, the challenge is • Made-up warnings about insider threats
twofold: first, to be alert to the methods targeting them
and, second, to ascertain which sources of information are • Sham customer messages from technology partners
trustworthy and which are not. The key is to realize that • Bogus recruitment agencies that pitch mocked-up
information security professionals are susceptible to being job opportunities
duped just like everyone else.
“IT security professionals operate in one of the fast- The obvious intention is to solicit a response from the
est-moving areas of technology,” says Brian Chappell, recipient, often by creating the impression that they have
senior director of enterprise and solutions architecture at been specially selected for controlled access to privileged
BeyondTrust, a cybersecurity firm based in Phoenix. “As a information, or for a place at a limited-attendee event. More
result, there’s been high reliance on external sources of data sophisticated attacks might reference additional informa-
regarding threats, albeit combined with output from mon- tion about an individual, such as their involvement with
itoring tools. While security professionals [as individuals] a technology specialty that’s been (unwittingly) divulged
are—generally—less likely to fall prey to cyberattacks, they on social media.
are far from invulnerable, and certainly not immune.” “As with any form of social engineering, cyberattackers
Bristol, U.K.-based Red Goat Cyber Security has look to play on a target’s specific interests and craft their
“increasingly seen successful attacks against cybersecurity lures in a way to make them as appealing as possible,” says
experts that highlight that no one is invulnerable to them,” Digital Shadows’ Amado. “That’s why there have been
reports company partner Lisa Forte. “Attacking cybersecu- phishing campaigns that use cybersecurity industry event

RETURN TO
InfoSecurity Professional | 21 | March/April 2019 CONTENTS
lures, or [that use] malicious attachments that claim to be In some instances, these posts are, in fact, made by cyber-
new technical or intelligence reports, [but which in fact] criminal outfits to recruit techies to set up and maintain
deliver malware.” their operational infrastructure [without realizing the true
While a generic phishing attack “is unlikely to get nature of the job].”
through the natural filters of an IT security professional, According to Andy Harris, chief technical officer at
spear-phishing attacks can be subtler,” says BeyondTrust’s London-based access manager Osirium, “Malicious actors
Chappell. “Anyone who is overloaded by information posing as recruiters ask questions like, ‘How would you
and activity in the workplace can almost be excused for protect hypervisors and backups?’ and ‘Do you have expe-
responding to what looks like a legitimate email.” rience in doing this? Is this how you currently do things?’”
IT teams are very busy, agrees Ross Brewer, vice pres- Such seemingly routine lines of inquiry can yield valuable
ident and managing director of Europe, Middle East and background knowledge for cybercriminal tacticians.
Asia at Boulder, Colo.-based security firm LogRhythm, “An IT security professional may [in job applications]
which can “make it challenging to pay full attention and divulge the particular types of defensive hardware and
not click on links that, if they took the time to assess, would software their company employs, even naming specific
seem suspicious. The most seasoned and experienced IT models,” says Amado. “[This is] valuable reconnaissance
professional can be taken in.” When they target infor- for an attacker looking to socially engineer employees in
mation security teams, adds Brewer, cybercriminals are the organization or to create appropriate tools to perform
“doing what they think no one would expect. It’s a brazen a network compromise or deliver bespoke malware.”
approach that relies on the fact that companies will be less
prepared for a dedicated attack than targets whose job it is
to protect the company…. To succeed, they require not only SORTING THE GOLD FROM THE GUILE
persistence and intelligence, they also rely on the element With the amount of cybersecurity data available to feed
of surprise.” threat intelligence increasingly discoverable in the public
domain, and the ease with which unsolicited emails can
bypass spam filters by spoofing actual identities, evaluat-
DEPLOYING THE RIGHT LURE ing incoming messages can prove a time-consuming task.
“I’m certainly aware of phishing campaigns where victims The quantities of cybersecurity news available in public
have received email lures and malicious attachments that domains, plus the ability of targeted phishing attacks to
pretend to be invites to cybersecurity conferences,” says elude anti-spam filters, means that malicious information
Digital Shadows’ Amado. “In one case the attackers used can reach even the best-guarded inboxes.
the actual documentation found on the real conference We’re likely to forget which newsletters we once sub-
website.” scribed to, and therefore fail to recognize the imposters.
An example from Red Goat Cyber Security’s Forte is the Clearly, infosecurity professionals who do not want to be
case of a CISO who was, from his LinkedIn posts, clearly cut off from useful channels of threat intelligence must
keen to get onto the security event speaking circuit. apply procedures that enable them to determine trusted
“The attacker had watched a YouTube video of one of the sources of information.
CISO’s talks at a local get-together. In the initial email, the “I tend to think of infosecurity sector news as dots in
attacker claimed to have been in the audience, cited specific concentric circles—the closer to the center, the more you
things they liked about the talk and pretended to be orga- trust what you read,” says Yiannis Pavlosoglou, co-chair of
nizing an actual upcoming security conference,” recounts the (ISC)² EMEA Advisory Board. “When you read some-
Forte. “Obviously, as this is a real conference, when the thing on Twitter, say, you typically place it in the outermost
targeted CISO Googled it he assumed it was legitimate. The circle of trust and influence to you. With time, and if this
attacker proceeded to invite him to speak at the event and news is real, it gets vetted by more sources you trust—it
attached the speaker registration form to the email. What moves closer and closer to your inner trust circle. Always
happened next you can probably guess. This is just one of note, however, that ‘trust’ varies between individuals.”
many cases [I’ve seen] where IT security professionals have Such procedures don’t necessarily have to involve
been targeted.” bothersome vetting procedures, adds Pavlosoglou. Cross-
Bogus job postings are another area where security referencing should factor in as many “golden sources”
professionals can be, and have been, duped, adds Amado. as possible, along with some “crowd-sourced” checks.
“We’ve detected examples on both ‘dark’ and seemingly “Cross-referencing sector news with multiple sources
benign open web forums where users have posted job always helps. There are also a handful of ‘golden sources’
adverts for security engineers and penetration testers. that you know and trust. For example, the golden source

RETURN TO
InfoSecurity Professional | 22 | March/April 2019 CONTENTS
 BEWARE THE SOCIAL MEDIA

W
for vulnerability severity scoring is MITRE Corporation’s
HEADHUNTER
Common Weakness Enumeration list. Using this, we can
confirm the severity for publicly known cybersecurity
WITH CYBERSECURITY PROFESSIONALS in
vulnerabilities on its website.”
high demand, it’s not unusual to hear from job
Cross-referencing information with a CERT expert group
recruiters through email or social networks.
and tracking back CVE (common vulnerabilities and expo-
Just know this is where cyberattackers lurk too,
sures) numbers “is good practice,” agrees Osirium’s Harris.
as Lisa Forte at Red Goat Cyber Security attests
“One of the best approaches to be sure of ‘trusted sources’
in this client story:
is to get out of the office and go to cybersecurity exhibitions
“I worked on a case that involved an IT
and conferences. It would, after all, take a significant effort
security team leader. Let’s call him ‘Joe.’ Joe
for cybercriminals to pose as cybersecurity vendors at a
was happy in his job but kept his options open
trade show.”
for other opportunities. One day he received
a LinkedIn message from ‘Dave’, the ‘head of
cybersecurity recruitment’ at a major firm,
TECHNOLOGY AS A ‘TRUST TOOL’
who commented flatteringly on Joe’s LinkedIn
Security technology itself plays a big part in helping
articles and added that he would love to have
us ensure that sources of data are who they say they
someone of Joe’s caliber on his books.
are, BeyondTrust’s Chappell notes. “Techniques like
“He asked how much Joe was earning in his
DomainKeys Identified Mail, Sender Policy Framework
current job, and promised he’d be able to add at
and Domain-based Message Authentication, Reporting &
least £15,000 to that salary if Joe was minded
Conformance can all come together to help us verify the
to make a move. Joe agreed for Dave to run his
source of an email—but that should never supplant the
profile past prospective clients. Next comes
simple assessment of whether the email was expected,
this response: ‘Joe, you’ve been with us five
especially if it asks us to do something sensitive to
minutes and already I have three international
ourselves or our organization.”
companies keen to interview you. Some of the
Another approach is to look at how known disinfor-
benefits will blow your mind. Please view each
mation campaigns are conducted, recommends Digital
role (documents attached) and let me know
Shadows’ Amado.
which you would be up for. Two of them have a
“Understand the tools and techniques attackers use
deadline this afternoon, so let me know ASAP.’
and it becomes easier to spot disinformation,” he suggests.
“Joe opens the attachments with eager
“For instance, one common technique is the use of domain
anticipation—a mistake he was to regret for a
hijacking and ‘typosquats’ to spoof legitimate news sources.
long time: at least one attachment contained
Recipients should look closely for obvious signs such as
ransomware. Needless to say, ‘Dave’ was not
misspellings, odd top-level domains—would your ‘trusted
a recruiter.”
source’ really use a .biz or .xyz domain suffix?”
—J. Hayes
Looking forward, it’s likely that advanced technology
from outside mainstream cybersecurity might be able to
help identify and reveal fake news and disinformation.
Output from monitoring tools, such as vulnerability man-
agement, access management and SIEM (security infor- improve the ‘health’ of the news network, adding or remov-
mation and event management), could be augmented by ing transactions on the reputation of published articles.”
principles of AI, and even blockchain technology, to be able Meanwhile, some basic low-tech checks can continue
to help online news aggregators enable readers to verify the to work well, reckons BeyondTrust’s Chappell: “Check
sources of stories. with the sender via a different medium. Pick up the phone,
“Shared ledger technologies can, in principle, help verify for example, to verify the trustworthiness of the message
news. As Bitcoin tracks financial transactions, published before you respond. This could slow you down a little—
news articles would be tracked and verified in a shared but it’s nothing compared with the impact of a successful
ledger using principles of blockchain authentication,” cyberattack.” •
explains Pavlosoglou of (ISC)2.
“To succeed, though, some financial incentive in the
form of a transaction fee or similar would be required. JAMES HAYES is a U.K.-based freelance editor and technology
That way, miners would be incentivized to check and journalist.

RETURN TO
InfoSecurity Professional | 23 | March/April 2019 CONTENTS
¦¦¦ PROFESSIONAL DEVELOPMENT

WATCHYOURLANGUAGE
How to effectively engage ‘cyberignorants’ to gain
buy-in for your security wish list. BY ADAM WOJNICKI

Looks like
someone used an
LDAP injection to
compromise our Ummm, so
web authentication what’s the
process! impact to our
brand and
bottom line?

JUST A FEW YEARS AGO I worked as an information security officer for a major multinational
company. At that time information security had just started to be referred to as cybersecurity.
Business executives were mainly concerned with Sarbanes-Oxley compliance, and few really
believed in stories about hackers stealing valuable data or cybercriminals trying to ransom compa-
nies. Media here and there reported a blackout or nuclear facilities destruction attributed to a for-
eign intelligence hacking, but all that used to be considered an unlikely event for a normal company.

ILLUSTRATION BY TAYLOR CALLERY

RETURN TO
InfoSecurity Professional | 24 | March/April 2019 CONTENTS
 It’s a different world now. Mobile and cloud technologies competitors overcame after encountering major difficulties
are everywhere. Any single company drives its digital strat- due to security attacks. These are truly business issues and
egy focused on valuation of data owned. Cyberattacks are not technical incidents that must be resolved.
so extensively covered by news media that cyber operations When a major pharmaceutical company disrupts produc-
are now considered to be the No. 1 risk by organizations.1, 2 tion and distribution of vaccines and must use federal stock
This raises expectations on the business side. instead, this denotes loss of revenue, penalties and impacts
Those years spent in a corporate management position the bottom line (profits). The loss is counted in hundreds of
helped me understand that we, IT security professionals, millions and spreads over two years. This is a quantifiable
and businesspeople speak two different languages. At that business risk. To be noted, the chairman of the company
time, I decided to enroll in an MBA program to literally was kindly invited to provide explanations in front of
learn how to “speak the business language,” and it was Congress. He is not likely to forget the event too quickly.
useful. One key takeaway from those studies: If you wish
to convince businesspeople to take action, you must use
terms they understand. In other words, when presenting
risks, emphasize how they impact both the brand and the Too often, cybersecurity
bottom line. professionals are more
Too often, cybersecurity professionals are more focused
on speaking with precision when they need to speak with focused on speaking with
persuasion. To do that, it becomes critical to adopt a lan-
guage easily understood by “cyberignorants.” Why is it so
precision when they need
important? Well, the business also is all about satisfying to speak with persuasion.
an unfulfilled demand. Therefore, the business leaders
are keen to better understanding exposure to cyber risk
in how it prevents finance improvements or opportunities. Another example: A shipping company servicing some
In the profession, we tend to present a security issue major global ports lost all IT systems and had to operate
as a risk, but as an IT security risk, not a business one. “on paper” for a couple of weeks. Interestingly enough, this
Cybersecurity is complex and we tend to further complicate case is not only about lost revenue and profits. In this case,
it with security jargon. the company reported a 4 percent loss of share value. This
Let’s look at a real-life example: is called value destruction (as opposed to value creation—
an important business term). The EVA (economic value
SECURITY EXPERT VIEW BUSINESS VIEW added) is what drives any listed public company. It rep-
resents what the investors get out of their investments.
Sophisticated, state-spon- Furthermore, while the company in question lost
sored attack using a 4 percent of value equivalent to an evaporation of U.S.
zero-day technique to Disruption of operations $1 billon, its competitors grew by 15 percent. In business,
introduce a computer worm due to an accidental this is called lost opportunities. Looking at security from
to a national tax system and security incident
obtain the entire network with $ impact
a business perspective, should we talk about a competitive
ecosystem of a state using advantage of companies properly managing their security
ransomware to lock down postures?
the attacked systems And there are dozens of similar examples. All provide
an opportunity for security professionals to use compara-
ble illustrations to underscore the need to invest more in
The business view of the risk focuses more on the cybersecurity. Business leaders that see major companies
(business) impact side rather than on the threat vector. It failing will instinctively think: If this happened to these big
is preferably expressed in a quantifiable way ($, €, £, etc.). companies, how safe are we? What if this happened to us?
How would we survive?
A recent study of 50 major Euro Stoxx companies in
IN BUSINESS, IT’S ALL ABOUT THE MONEY the aftermath of 2017 attacks3 shows that from a business
As media report extensively on incidents, executives now perspective, the perception of the risk may be simpler than
are aware of both risks and consequences. They learn this we tend to think (see figure, next page).
not from reading technical reports but consumer publica- The cyber risk anticipated by the business falls into two
tions—they want to learn from what peer companies or main categories: theft of data and disruption of operations.

RETURN TO
InfoSecurity Professional | 25 | March/April 2019 CONTENTS
 PERCEPTION OF THE CYBER RISK
FROM A BUSINESS PERSPECTIVE
(From a recent cross-sector study of 50+ major Euro Stoxx companies)

76%
Disruption of operations content. Each of the emitters and receivers has their own
worldview, or way of describing the surrounding world.
47% Effective communication requires the emitter to adapt
Theft of data the language to the audience (aka receiver) so the mes-
sage is easy to understand. We can adapt the language to
45% the business worldview by describing the risks in a new,
Cybercrime simplified way, enriched with some business jargon (EBIT,
EVA…) and possibly quantify it based on data and compara-
22% bles. Let’s focus on the content now.
Espionage People working on the business side like to measure
everything. They measure impact of an investment (ROI),
they measure progress in time and performance through
key performance indicators (KPIs) and risk with KRIs…
Disruption of Operations the list of metrics is long.
The first category preoccupies more than three-quarters
of those surveyed. This is a clear echo of 2017 events that
heavily impacted business operations of some major organi- UNDERSTAND YOUR AUDIENCE
zations. Let’s look at marketing, as an example. What image imme-
diately comes to mind? You probably envision campaigns
Theft of Data on the scale of Apple, when the late Steve Jobs was its
The second category concerns about half of all companies frontman. New products were released with much panache,
and relates to the recent switch from a traditional economy leading many business students to want to follow in Jobs’
to the new economy of data. In this switch, data plays a key footsteps as a marketer extraordinaire. But marketing in
role and is now recognized as a valuable business asset. reality is rooted in metrics that measure campaign suc-
cesses. There are entire books, several hundreds of pages
Cybercrime and espionage long, describing dozens of marketing measurement KPIs
Cybercrime is also often mentioned as a risk and, in most (see an example in Footnotes, no. 4).
of cases, falls into one or both of the previous categories.
Industrial espionage is actually less common and only
mentioned by about 20 percent, suggesting respondents
either don’t understand or don’t care as much about insider
What would businesspeople
threats. need, or at least want, to better
This analysis also leads to another important conclu-
sion about the business perception of the risk. Rather than understand the state of security
describing detailed risk vectors in a complex manner, one at their company? Chances
could simply consider three categories: accidental, oppor-
tunistic and targeted. Cybercrime is an opportunistic risk; are the answer is metrics.
espionage is a targeted one. Simplicity helps the business
understand this complex topic.
But paradoxically, even though cybersecurity falls under
the science of computing, it tends to be more qualitative
HOW TO COMMUNICATE than scientific. Our security dashboards, often based on
WITH THE BUSINESS a random collection of all available technical indicators,
Let’s start with what the communication is about. hardly reflect the exposure of the business to the cyber
Communication is a dialogue, meaning it goes both ways— risk in a way that is consistent and understandable to the
in our case, from IT to the business and vice versa. In our business.
communication to business units, we provide messaging But what should we measure then?
that fulfills our own goals. But business also has its own Let’s think again about the receiver, especially if that
expectations. Matching the two is where the communica- person works in marketing. What would businesspeople
tion becomes efficient—and more effective. need, or at least want, to better understand the state of
The theory of communication defines four key constit- security at their company? Chances are the answer is met-
uents of communication: emitter, receiver, language and rics. They want proof the systems are secure or that vulner-

RETURN TO
InfoSecurity Professional | 26 | March/April 2019 CONTENTS
 BUSINESS TERMS
EVA or value creation/
GLOSSARY

Economic value added is the value created in excess of the required return for
destruction the company’s shareholders
Top line/revenues Money received from the sale of products and services before expenses are
taken out
Bottom line/EBIT Earnings Before Income and Taxes; the result after all revenues and expenses
have been accounted for
KPI Key performance indicator evaluates the success of an organization or of a
particular activity
KRI Key risk indicator is a measure used in management to indicate how risky an
activity is
ROI Return on investment
Lost opportunities “Cost” incurred by not enjoying the benefit associated with the alternative
Competitive advantage The attribute that allows an organization to outperform its competitors
Source: Wikipedia

abilities have been patched. And they want it presented in a business perspective.
manner that mirrors their own dashboard reports. Last but not least, make sure what you propose is mea-
This means measuring threat exposure through 3 KPIs: surable so performance can be tracked on a regular basis.
posture, dynamics and performance. The posture indicators This is truly where you, as a security professional, can prove
measure how the business is exposed to anticipated risks an investment will pay off.
at a point in time. The dynamics measure how this posture For too long, we in the information security industry by
evolves in time and within different time ranges. Finally, default have been too paranoid or too optimistic in how we
the performance indicators should reflect the efficiency present what we do and why it’s vital to the organization.
of controls as well as the operational and even economic It’s time we all join our business brethren on the other side
performance of security efforts. of the aisle and become more transparent and measured.
Knowing the expectations of the business, we can The future of the company may depend upon it. •
define a system of meaningful indicators and match them
to existing information. With this approach we build mul-
tiple levels of data consolidation that help provide the right ADAM WOJNICKI, CISSP, is Director Innovation & Expertise at
level of synthesis to the right level of audience. Harmonie Technologie, a leading risks and security consultancy
“Keep it simple” should be the motto while talking to in Paris.
the business on security. It takes great skill to make the
FOOTNOTES:
complex simple, but it’s something top performers in any 1
https://www.agcs.allianz.com/insights/white-papers-and-case-stud-
field learn to do well. ies/allianz-risk-barometer-2018/
Remember the concerns of the business on risks and 2
https://www.risk.net/risk-management/5424761/top-10-operation-
focus on what counts to the business: financial loss related al-risks-for-2018
to the disruption of operations or data theft. Express the 3
https://www.bearingpoint.com/fr-fr/notre-succes/publications/regu-
business impact in terms of top and bottom line, talk latory-intelligence-initiatives-1810/
about potential value destruction. Use recent examples 4
Key marketing metrics by Paul W. Bendle, Neil T. Pfeifer, Phillip E. Reibs
to illustrate. Employ the language of risk, but from a Farris

RETURN TO
InfoSecurity Professional | 27 | March/April 2019 CONTENTS
¦¦¦ MANAGEMENT

Cybersecurity’s Project
Management Impact
WORKING WITHIN THE
JUNCTION OF THE CIA
TRIAD AND PM TRIPLE
CONSTRAINT
BY CHIP JARNAGIN AND JAIME B. SAINZ

SEVERAL YEARS AGO, a major defense contractor

developed an application for the U.S. military that
maintained the information for the delivery of medi-
cal services for American military hospitals through-
out the world. It included the medical and insurance
data for service personnel and their families for
several branches of the military.
Unfortunately, a state-sponsored cyber operation
hacked the system, prompting senior VPs to phone
generals in the middle of the night to inform them
that their data was breached. The issue was tracked
back to a vendor’s product with known vulnerabili-
ties. When the project manager was asked about
the vendor code, he denied that the project used
the product. He didn’t know that it had been
incorporated into the application.

ILLUSTRATIONS BY ROBERT PIZZO

InfoSecurity Professional | 28 | March/April 2019

 It turned out that in their frenzy to meet deadlines, the
developers included the faulty piece of technology into the Figure 2: The CIA Triad
application, unaware of the cybersecurity ramifications.
As cybersecurity had not been an integral consideration
for the project, the vulnerable code was not discovered.
While this is an extreme example of what can happen
when cybersecurity is not a priority for a firm’s projects,
not including it from the beginning of any project can
cause major issues.
Doing so is more important than ever, yet integrating
cybersecurity into project management from the start
continues to be ignored. One way to improve the overall
quality of a product or service being delivered, including
reducing the risks of it being leveraged or targeted in a
cyberattack, is to consider incorporating two fundamental
models into one program: the project management Triple
Constraint and the cybersecurity Confidentiality, Integrity
and Availability (CIA) Triad.

THE CYBERSECURITY AND PROJECT

MANAGEMENT INTERSECTION
Most fields of expertise maintain specific best practices
In cybersecurity, the CIA Triad is foundational.
or frameworks that enable their value delivery. Both
A project that follows both the best practices of both
cybersecurity and project management have well-proven
disciplines is more likely to produce a quality result.
concepts and standards through which their functions are
The project management Triple Constraint has three
performed. Within project management, one of the most
components: scope, time and cost, which are considered
basic concepts is the Triple Constraint (see Fig. 1, below).
to be equal in importance. Quality is said to have been
achieved by satisfying all three.

Figure 1:
The Project Management Triple Constraint If one of the legs changes,
the remaining legs of the triangle
must be adjusted to maintain
the quality of the project.

Each leg of the triangle is dependent on the others. If

one of the legs changes, the remaining legs of the triangle
must be adjusted to maintain the quality of the project.
Although adjusting the other legs is not always possible,
the Triple Constraint should always be considered when a
change in the project scope, time or budget is introduced.
The CIA Triad’s three key components are confidential-
ity, integrity and availability (see Fig. 2, above). By imple-
menting security controls that support all three factors,
the data and services those controls protect will be secure.
Confidentiality ensures that the given resource is acces-
sible to specifically authorized personnel. Security controls

RETURN TO
InfoSecurity Professional | 29 | March/April 2019 CONTENTS
 Figure 3:
The Intersection between the CIA Triad and Project Management Triple Constraint

such as encryption and identity and access management environment and the other is a project delivered success-
(IAM), along with the technologies and processes that fully. The key is to focus on the benefits of implementing
enable them, are part of this section of the triangle. best practices in both disciplines. Figure 3 (above) illus-
Integrity ensures that the organization’s data is unmod- trates the relationship between the two concepts.
ified by an unauthorized entity. Whether data is in motion Placing cybersecurity phase gates throughout the project
or in storage, it must be kept in a state that is trustworthy. will improve the quality of the project deliverables.
Among the controls that provide integrity are access con-
trols (e.g., file permissions) and the use of cryptography.
PROJECT RISK VS. CYBER RISK
Project management risk and cybersecurity risk have differ-
ent characteristics.
Whether data is in motion The Project Management Institute’s (PMI) Project
or in storage, it must be kept Management Body of Knowledge (PMBOK) defines project
risk as “[a]n uncertain event or condition that, if it occurs,
in a state that is trustworthy. has a positive or negative effect on one or more project
objectives.”1 Under the Project Risk Management knowl-
edge area, PMI defines six different processes that are
Availability ensures that the given data or service necessary to control risks on a project. All of these pro-
is accessible to authorized individuals when needed. cesses are directed toward impact on a project itself and
Numerous controls enable availability along with the do not take cyber risk into account.
network and infrastructure supporting them. On the other hand, cyber risk is defined as “[t]he level
Both the CIA Triad and the Triple Constraint are of impact on organizational operations (including mission,
focused on the quality of the end result: one is a secure functions, image or reputation), organizational assets or

Figure 4:

Project
Stages

RETURN TO
InfoSecurity Professional | 30 | March/April 2019 CONTENTS
individuals resulting from the operation of an information mission, what data requires encryption at rest and
system given the potential impact of a threat and the likeli- what data requirements apply if the data is transmit-
hood of that threat occurring.”2 ted to a third party. Also determine what levels of
Going forward in this article, any reference to risk is a encryption are required.
reference to cyber risk. • Set the standards for compliance, including consider-
ations for PCI, GDPR, PII, HIPAA, etc.
• Validate (and document if necessary) with the IT
CYBERSECURITY CONCERNS team their responsibilities for providing the hard-
WITHIN THE FIVE PROJECT STAGES ware, operating systems, software patching, mainte-
PMI’s PMBOK identifies five stages (process groups) every nance and systems support.
project goes through. In order, they are: initiating, plan-
• Plan and document any disaster recovery and busi-
ning, executing, monitoring and controlling, and closing.3
ness continuity plans that need to be implemented.
They are defined as follows:
• Develop a detailed document regarding the standards
Initiating: Includes activities through which the definition
and procedures for access control (including physical
of a new project is developed and authorization is granted
security), logging and monitoring, privileged access
to begin.
management and compliance guidelines for backup
Planning: Includes the activities defining the project scope. data retention and any other relevant processes.
The objectives of the project are developed during these
• Include the implementation of data loss prevention
activities along with the development of the action plan
(DLP) software if it can be funded because it adds
and schedule to accomplish the project objectives.
real-time, preventative control for keeping data
Executing: Includes the completion of the activities iden- secure.
tified in the project plan to meet all of the project require-
• Create a cyber risk management plan for the project
ments.
deliverables.
Monitoring and controlling: Includes all activities per-
Executing
formed to ensure the project remains on track and encom-
passes the management of any changes to the plan, scope, Ensure compliance with all standard cybersecurity
schedule or budget. processes and documentation identified above.
Closing: Includes all activities required to officially com- Monitoring and Controlling
plete and close the project or a given phase of the project. • Confirm that all ongoing cybersecurity processing
and controls are maintained through regularly
The following is a list of general questions and actions scheduled reviews.
to include cybersecurity in each of the five project stages. • Ensure that all preventative and corrective actions
This is not an exhaustive list because some projects will are taking place.
have special requirements that need further investigation/
Closing
assessment.
Remediate any remaining cybersecurity concerns.
Initiating
• Can the project impact the security of the organiza- Under some limited circumstances, during the initiating
tion? stage, it may be determined that the project has no impact
• Identify and document cybersecurity decision own- to the firm’s data security, IAM, network connectivity or
ers. Outside of IT, ask the business to identify who physical security. If that is truly the case, then the rest of
can make project-specific decisions regarding data the assessments are not needed. However, a project team
access, data retention, data destruction, data classi- must be very careful in reaching this conclusion.
fication, disaster recovery and business continuity
planning.
Planning CYBERSECURITY AS A CONCERN
FOR ALL OF A COMPANY’S PROJECTS
• Plan the required levels of security for each data type Consider the example of the threat of a direct kill chain
based on its classification (e.g., public, confidential, to valuable IT corporate assets posed by IoT (Internet of
restricted, company proprietary, etc.). Things) devices now being installed for building automa-
• Outline what data requires encryption during trans- tion.4 Currently, IoT cybersecurity is an oxymoron. In most

RETURN TO
InfoSecurity Professional | 31 | March/April 2019 CONTENTS
 All independent PMOs should be integrated with the firm’s
overall PMO to ensure that cybersecurity concerns
are standardized for all projects.

firms, those building projects are outside of the purview of • A firm should only have one PMO to ensure that
the cybersecurity organization, creating vulnerabilities that cybersecurity concerns are standardized across all
can be hacked. of the organization’s projects.
For example, in what has to be one of the greatest • All of a firm’s projects should be run by the compa-
“fishing” attacks ever (https://www.businessinsider.com/ ny-wide PMO starting with the Initiating stage of the
hackers-stole-a-casinos-database-through-a-thermometer-in- projects to ensure that all cybersecurity vulnerabili-
the-lobby-fish-tank-2018-4), hackers breached the auto- ties are recognized and mitigated.
mated thermostat of a casino lobby aquarium and
exfiltrated the casino’s high-roller database.5 According Shutting down the threats of a direct kill chain to
to a 2017 study involving more than 3,000 companies, valuable corporate assets posed by a firm’s projects can
84 percent had experienced some type of IoT breach.6 be accomplished by following the recommendations in
Because the cybersecurity attack surface has become this article. •
so broad and pervasive, a company’s Project Management
Office (PMO) must make the risk assessments described
above a requirement for all the firm’s projects. It has CHIP JARNAGIN, MBA, CISSP, PMP, CSM, Lean Six Sigma Green
become an imperative that cybersecurity operations have Belt, is a consultant at LatticeWorks Consulting. He has more than 20
insight into all of the firm’s projects, including those outside years of experience in cybersecurity, telecommunications and IT. He is
of traditional IT, to assess whether they impact the cyberse- published in the fields of cybersecurity, organizational cultural, project
curity stance of the organization and, if so, determine what management and IT governance/management.
mitigation/controls are needed. JAIME B. SAINZ, MBA, CISSP, CISM, PMP, is a security strategist at
Also, in some companies there are multiple PMOs. a Fortune 100 company. He has more than 20 years of experience in IT,
This is very much like having shadow IT. All independent cybersecurity and project, program and portfolio management. He is
PMOs should be integrated with the firm’s overall PMO to also an adjunct professor of cybersecurity at William Jessup University.
ensure that cybersecurity concerns are standardized for all
projects.
In fact, a logical argument can be made for a company’s
FOOTNOTES:
PMO to reside within the cybersecurity organization. This
would help ensure that cybersecurity oversight is incorpo-
1
Project Management Institute; Project Management Book of Knowl-
edge, p. 720; Project Management Institute, Inc., 2017; Newtown
rated in all of a firm’s projects. Square, Pa.
2
NIST; “FIPS Pub 200: Minimum Security Requirements for Federal
Information and Information Systems,” p. 8, NIST, March 2006, https://
CONCLUSION csrc.nist.gov/csrc/media/publications/fips/200/final/documents/fips-
No company wants to experience a breach like the one 200-final-march.pdf
recounted at the beginning of this article. By incorporating 3
Project Management Institute; op.cit., p. 554
cybersecurity safeguards into every stage of a project, vul- 4
For more information on how IoT is expanding firms’ attack surface,
nerabilities that previously would not have been considered see “‘Building’ a case for stronger IoT-related cybersecurity,” the feature
nor discovered can be mitigated. article in the February 2019 (ISC)2 enewsletter Insights, https://www.
In summary: isc2.org/News-and-Events/Infosecurity-Professional-Insights

• Cybersecurity should be taken into account for all 5

Williams-Grut, O.; “Hackers Once Stole A Casino’s High-Roller Data-
of a firm’s projects. base Through A Thermometer In The Lobby Fish Tank,” Business Insider,
April 15, 2018, https://www.businessinsider.com/hackers-stole-a-casi-
• The company-wide PMO should adopt the recom- nos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4
mendations detailed in the above list of what cyberse- 6
Colley, A; “More Than 80 Per Cent of Companies Hit with IoT Breaches:
curity assessments should be done in each of the five Study,” CSO, March 1, 2017, https://www.cso.com.au/article/615124/
project stages. more-than-80-per-cent-companies-hit-iot-breaches-study/

RETURN TO
InfoSecurity Professional | 32 | March/April 2019 CONTENTS
 center points ¦ ¦ ¦ FOCUSING ON EDUCATION AND RESEARCH INITIATIVES

It’s All in the Numbers

C
by Pat Craven

CYBERSECURITY IS ALL ABOUT NUMBERS—a

bushel basket full of ones and zeros. Well, have I
got some numbers for you this month—numbers
that equal lives changed, and potentially saved, from
the terror of being bullied online or having personal
information stolen, leaving lives in ruins. Every cyber
safety lesson that you help us deliver through our
Safe and Secure Online and Garfield’s Cyber Safety
Adventures program is another life changed forever.
Check out these numbers for 2018:
• 623 Middle School Presentations downloaded,
reaching 23,676 children ages 11 to 14.
• 685 Parents Presentations delivered, teaching
18,215 adults how to help protect their families
online. received tips on how to be safe and secure online
• 523 Senior Presentations given, making 10,255 from our television appearances, radio interviews,
senior citizens safer from fraud and online podcasts, blogs, social media posts, seminars and mag-
scams that could wipe out their entire retire- azine articles or from the 140,000 unique visitors to
ment savings. our websites this year—(www.IAmCyberSafe.org)—
which are loaded with safety tips for the entire family
• 1,051 Award-Winning Garfield Educator Kits in multiple languages, with more being added all the
distributed around the world, delivering 31,530 time.
critical cyber safety lessons to children 6 to 11 As you read this, hundreds of volunteers are in the
years old. process of translating our materials into more than
• Another 7,587 Garfield digital lessons delivered 30 languages.
online. To say we are on a roll making the world a safer
• 467 of the free Garfield PowerPoint presenta- cyber place for everyone would be an understatement,
tions downloaded, delivering another but the credit goes to all who volunteer and support
14,010 safety lessons. the Center for Cyber Safety and Education in ways big
and small. Simple things like following us on social
My friends, that’s 105,273 cyber media or making a presentation at a local school or
safety lessons delivered in one year! even within your own company to fellow employees
Illustration: Theispot/Michael Austin

Combine that with the 65,000 and parents. Want to be a part of this fast-growing
lessons delivered last year, and that give back program? Check out our new Garfield
means we have provided nearly S.A.F.E. program (https://iamcybersafe.org/corpo-
as many safety lessons to parents, rate-responsibility/) for ideas on how you and your
seniors and children these past two company can get involved, anywhere in the world.
years than we delivered in the last This year is already off to a record-breaking start,
Pat Craven is the director 10 years combined. so please join us in our effort to make it a safer cyber
of the Center for Cyber
Safety and Education
And that is just what we can mea- world for everyone by volunteering or donating to
and can be reached at sure. These numbers don’t include the effort. We can only make this work with your
[email protected]. the literally millions of people who support. •

RETURN TO
InfoSecurity Professional | 33 | March/April 2019 CONTENTS
 (ISC)2 community
‰
¦ ¦ ¦ SHARING INSIGHTS FROM BUZZWORTHY THREADS
Join at https://community.isc2.org ›

Highlights from Recent Discussions of years ago. Ultimately what is the

purpose? To subjugate the employee

on the (ISC)2 Online Forum (I’ll keep the ID badge, thanks).

—Posted by Kempy
The (ISC) Community has more than 20,000 cybersecurity professionals
2
While I am against the premise for
connecting, sharing knowledge and offering solutions in the online forum.
privacy reasons, there is an advantage
InfoSecurity Professional, in partnership with the Community’s administra- to bio-chipping.
tors, presents a few of the more buzzworthy threads. Note that the ques- You cannot lose a chip. It is less
tions and responses may have been edited for clarity and brevity. expensive and can be combined for
two- or three-factor authentication
Editor’s Note: Usually, at least two also consider this for home locks. to increase security access. If the
topics are posted on this page. However, I could see this being a chip is inserted in the hand, a special
However, the question below elicited major challenge to try and implement glove can mask the chip for privacy.
a tremendous and varied response, this in our organization, an NHS site. —Posted by bucknerj
which is sampled here.
—Posted by chinoblue
Employers should mind their business
QUESTION: I wouldn’t volunteer to have a chip and stay out of their employees’ bod-
Chipping pets has been around for implanted in me, and if the organiza- ies…. The technology may be OK and
years. Chipping people has too, tion mandates it, I’ll want to resign. . . . very attractive but it crosses a fine
but not nearly so widespread. The —Posted by Shannon line of responsibility. If chip technol-
Guardian has reported that the idea ogy is implemented, I need the option
of chipping employees is being dis- to opt-out. It gives the business too
cussed by employers and unions are I guess you have to ask the Swedes
their opinion; they are embracing it much control over my life!
expressing concern. (See “Alarm over —Posted by wpatterson2
talks to implant U.K. employees with wholeheartedly: https://theconver-
microchips — Trades Union Congress sation.com/thousands-of-swedes-
concerned over tech being used to are-inserting-microchips-into-them- I can see the amazing benefits of a
control and micromanage” at https:// selves-heres-why-9…. They see the microchipping program. I [hear] a lot
bit.ly/2B168Sx). advantages, benefits—in an interview of rhetoric around invasion of privacy
Having chips in all employees and on New Zealand Radio, one of the but, to be fair, I’m not as concerned
readers placed around the facility … advantages quoted was reducing the as others. Right now, we carry
could greatly benefit physical securi- smartphones, tablets, laptops and
chance that the employee forgot their
ty and insider threat protection. other forms of tech provided by our
security pass!
Of course, that same system could employers that can be used to track
become an amazingly intrusive —Posted by Caute_cautim
our activities and movements. Swipe
invasion of privacy. tags, anyone?
Would you recommend a chip I don’t understand why there is a
—Posted by SOC_Puppet
program as part of the security need to implant tech inside the
program at a company you were human body for identification pur-
advising? Alternatively, if your poses when we are carrying around IAM is my passion. I’ve matured with
employer set up a voluntary chip our identifiers every day, all day long. IAM for 25+ years as it has matured…
program, would you get a chip? Our thumbprints, our faces. For a I have never thought embedded tech
Or, if your employer announced a contactless identification, a camera was the way to go…. I like the Yubi
mandatory program, would you quit? can do. You can recognize a person key. It’s small, highly compatible with
—Submitted by CraginS from his face, his walking. OpenID and has PIV integrated with
—Posted by Micael
it. I think this device would reduce
SELECTED REPLIES: many security issues and not impact
Personally, I would be happy to be I don’t see a way for such a ridiculous the privacy of the individual.
—Posted by Flyslinger2
chipped if it meant not having to policy to become mandatory unless
carry door entry cards and smart people became someone else’s prop- Find this thread at https://bit.ly/2G0y0J7.
cards for system access. I would erty, a practice stamped out hundreds

RETURN TO
InfoSecurity Professional | 34 | March/April 2019 CONTENTS
 In partnership with

ENRICH ENABLE EXCEL

RegistRation now open

1 0 - 1 1 J U LY 2 0 1 9 • C O N R A D H O N G K O N G

2 Days • 6 Tracks • 35+ Sessions • 40+ Speakers

(ISC)2 Secure Summit APAC 2019 is the perfect opportunity for you to gain insight from great
minds in the cybersecurity industry and participate in Enriching sessions, panels and best
practice sharing designed to sharpen your skills and hone your craft. Meet over 400 peers
from all levels and across a range of industries and immerse yourself in discussions that will
Enable you to better secure your organization and Excel as a cybersecurity professional.

REGISTER TODAY

Don’t miss this must-attend event!

Have questions? Talk to us!
Sponsorship - Michaella Park ([email protected])
Registration - Helena Cortes ([email protected])

Enjoy member discount

& earn up to

24 CPEs
 GET CERTIFIED.

Join (ISC)² on stand A180 at Infosecurity Europe

4 - 6 June 2019 Olympia London

(ISC)2 Member Reception on 5 June

(ISC)² members can claim CPEs for attending workshops or

educational talks taking place at Infosecurity Europe.

CPEs cannot be claimed for only visiting the expo floor.

Please refer to the CPE guidelines for information on how to submit.

www.isc2.org
© 2019 (ISC)2, Inc. All rights reserved.