CIOs are increasingly under pressure for doing more with less as we see the economy slowing down. This would mean typically cutting down the IT costs from every corner without reducing the services. Relatively untouched is the network piece in our infrastructure services which is not often talked about. But in my view, this also provides a window of opportunity not just in terms of costs but agility as well. 

A recent study shows less than 10% of people BYOD employees auto lock their tablets and people were more security-savvy about their smartphones, with 25% locking. For IT security reasons, the employer may have remote capabilities to monitor activity and in the event of loss or employee termination wipe the data. The employer is liable for potentially lost data on the mobile. So, to maintain security in a BYOD world, plan on giving up some liberties.  

During the course of managing an IT department, it is important for IT management to understand areas of risks. There are standard best practices that can be engaged to score your department/organization. These include assigning staff responsibilities of information systems environment to specialized personnel.  

Seeking better value is the new norm. As an industry, security gets heavier and heavier. We add new security tools but seldom get rid of the old ones. So, it's no surprise that when our companies require us to reduce our budgets we don't really know how to do it. In the face of these tightening budgets we need to adapt and survive. This leaves us with three options. 

This post is about discussing the very real Build vs. Buy problem many CISOs are running into. Whether it's for lack of available talent, time, or simply priorities, CISOs have to make this decision nearly every day so this post discusses some of those choices, their consequence and rationale. 

In its 2013 Threats Predictions report, McAfee Labs states that cybercriminals will receive an increase in requests for their hacking services. It predicts that Citadel will become the Trojan of choice for cybercriminals. Also, the number of suspicious outfits claiming to sell zero-day attacks or the sale of spying services reserved for the sole use of governments or secret services will grow. 

I reached out to 12 senior CISOs before I penned this blog post and everyone thought that it was a good idea and some called it innovation. I was actually a bit miffed. I reminded them, that this had always been an expectation from their chair, but all that one got was policies and policing. CISOs should help employees conduct their business in a safe and secure environment.  

The worst thing that can happen to a CISO is to get trapped in the ROI Death Spiral; when you have show the ROI before you spend money. The only solution is to figure out how to add value, make your company better, stronger, faster. That's the only way out of the trap your CFO has built for people that he thinks aren't adding value and delivering on promises.  

Now that DDoS attackers' motivations have become more diverse, going beyond the pursuit of blackmailing or illicit financial gain; unfair business advantage, ideological activism and political activism now drive these types of attacks. Organizations should have more proactive process and alternative strategies in place, apart from relying on vendors to save them from these kinds of attacks. 

Many large companies choose to keep quiet, and do not notify either the agencies or customers when their IT systems are compromised. They do not want to showcase themselves as vulnerable, and they have a reputation that needs to be preserved. Will the possible introduction of mandatory data breach notification laws change this reticent behaviour?