Author Archives: Emily Holbrook

About Emily Holbrook

Emily Holbrook is a former editor of the Risk Management Monitor and Risk Management magazine. You can read more of her writing at EmilyHolbrook.com.
Want to scan your crypto wallet for risks? Check: AML check BTC, USDT, ETH. Checking cryptocurrency wallets for dirty money. You may not be aware of a risky transaction and at any moment, even can increase your AML rating into the red zone.

Leadership Lessons From the Corner Office

Posted on by

Yesterday, at the 16th annual Wharton Leadership Conference, I was lucky enough to hear musings from Adam Bryant, senior editor for features at the New York Times, where he not only leads a team of reporters but also authors the popular “Corner Office” column in the Sunday business section and online — a recurring piece that he first began writing in 2009.

When he started interviewing leaders of the world’s largest, most successful organizations, he decided he wasn’t going to ask them simply about their business strategy. He began asking broad, open-ended questions about the most important leadership roles they’ve learned throughout their life.

buy cenforce online www.northwestmed.net/wp-content/uploads/2023/10/jpg/cenforce.html no prescription pharmacy

“We have to make sense of leadership for ourselves,” he said. “I started asking why some people get promoted over others time and time again. This is what separates leaders, from what I’ve learned, and I believe these qualitites are truly useful in any context.” They are:

  • Passionate curiosity — “A deep sense of engagement with the world, how things can be made to work better, these two words are greater than the sum of their parts”
  • Battle-hardened confidence — “Track record for tackling adversity, these people know things are going to come out fine”
  • Team smarts — “The organizational equivalent of street smarts, you know who to talk to to get things done”
  • A simple mindset — “Refers to the ability to take the ocean of data we all have at our fingertips and distill it down to the one, two or three things that are important”
  • Fearlessness — “Some CEOs take a lower-rung job to run a smaller division so they could learn more”

Bryant also discussed some unique interview questions that these CEOs at different companies adhere to, including:

Zappos: What is the biggest misperception that people have about you?
“I think the biggest one is that I’m pretty insanely competitive, but it turns out that that question is just the setup for the punch line, which is ‘what’s the difference between misperception and perception?

buy desyrel online www.northwestmed.net/wp-content/uploads/2023/10/jpg/desyrel.html no prescription pharmacy

‘”

Google: On a scale of 1-10, how weird are you?
We’re all weird to some degree. i like this question. it signals to job candidates that everybody’s weird and we want to bring that weird here — not too much, but some. if someone screams 12, you can move on.

ING Direct: There are five animals (rabbit, lion, cow, horse and monkey) and you’re about to go on a journey but you have to leave one behind. Which one do you chose?

“According to the test, each animal stands for something, and apparently this test tells you about the person you’re interviewing,” Bryant said. “I chose rabbit, and the guy I was interviewing for the column said that rabbit stands for love, meaning I’d be willing to work for three weeks straight and make it up to my family later on. My wife read it when it came out. And, well, it’s kind of hard to claim you were misquoted in your own article.”

The State of Risk-Based Security Management

Posted on by

During my time at the Gartner Security & Risk Management Conference last week, I had the chance to sit down with Dwayne Melancon, chief technology officer at Tripwire, an IT security software firm. I was introduced to the term risk-based security management (RBSM) and presented with a report issued by Tripwire with research conducted by the highly regarded Ponemon Institute titled “The State of Risk-Based Security Management.” Here, Melancon answers a few questions regarding the report and the state of security risk management in general.

First of all, what motivated you and your team to dig deeper into this issue and publish this report?

DM: For the past five or six years, a lot of our focus has been on trying to translate security information to compliance auditors. About a year or a year-and-a-half ago, we started to notice an influx of people talking about risk and risk management. So we commissioned the Ponemon Institute to do an independent study to find out what’s going on with risk: Where are the people, what are the challenges, what are the concerns about it? They surveyed a little over 2,000 people worldwide. The idea was to establish sort of a baseline: What’s the current state of practice in thinking and where are there gaps? When you dig into the demographics, it’s a good cross-section not just of companies, but of industries, job titles and so on.

Who is this report geared towards?

DM: I would say it would appeal to a couple of audiences. One are the CIO, CISO-level people who understand their side of technology but need to relate to other business executives outside of their world. And then the other to me is really when you get to the IT mid-management person who has to kind of focus their resources, make sure their staff’s focused on the right thing, but then communicate value up, to either their boss or their boss’ boss. I think those are the two audiences who would probably get the most out of this.

What was the most interesting aspect of the report?

DM: A couple of things. One is that there is a lot talk and not a lot of walk yet. So, somewhere around 77 or 80% of the organizations said that risk management was important, but less than half are actually doing anything about it.

We see that a lot — people saying we need a risk management program and understand its value, but fail to implement it.

DM: Definitely. And another piece that seemed to be related to that was that there was a lot of inconsistency in who really owns the risk management program. So it was all over the map. You would think that, typically, it would be somebody senior in the organization, because most of the time, unless somebody really endorses it, it’s the “tone at the top” thing. Unless somebody at the top says, ‘this is important,’ then it becomes sort of a David and Goliath thing — some superhero in IT who decides they’re going to take this on and they get frustrated.

The term “risk-based security management.” Have you heard it used before or is this a new term in the world of risk management?

DM: We’ve heard it mentioned and when we heard it we decided that it sounds a lot like what we’re focused on. Where this came together, and I think it’s a linkage to our compliance roots, is that when we dealt with a lot of audits, scoping was really important and they always talk about the importance of a top-down risk-based assessment to figure out what’s in scope and what’s not, what’s relevant and what’s not. And one of our audit clients started describing it as risk-based security. And we said, ‘OK, that makes a lot of sense.’ Because if you have a good understanding of where the risks are, then you can align your budget, your resources, and what you report on based on risk and it makes it easier. Especially when you deal with non-technical executives. A lot of them tend to have financial backgrounds. They understand risk and they understand controls. So if you can kind of frame it in that, it’s a better starting point than trying to explain what patching is, for instance.

Was there anything in the report you found shocking?

DM: One other thing I thought was surprising is that when we asked people about data — there seems to be a dearth of metrics, a lot of people are trying a bunch of things to see what works — one thing that bothered me was that so many organizations had cost as their primary measure. I think cost is a good indicator, but it’s not a metric because you can’t drive costs and risk gets better. It just doesn’t work that way. We’ve been trying to help people understand that. It’s kind of a two-way street: What metrics are working for you, here are some things we’ve seen work.

Here is a shocking chart presented in the report:

Advanced Persistent Response

Posted on by

Yesterday, at the Gartner Security & Risk Management Summit, I sat in on a session on advanced persistent response, presented by Tom Kellermann, vice president for cybersecurity, North America, for Trend Micro. Many of us are familiar with advance persistent threats, and to pay homage to the elite hackers of the world, in a way, the term advanced persistent response was coined.

Let us reflect on history. “There is a lot we can learn from Constantinople,” said Kellermann. “It was never defeated in battle until 1453. It demonstrated the fact that perimeter defenses were inefficient regarding onslaughts. Traditional internet security is insufficient. In fact, Trend Micro evaluations find over 90% of infrastructure is infected by malware.”

Kellermann noted that the cyber kill chain, or a set of sequential events that make up an advanced attack, has significantly evolved. The kills chain goes as follows:


This year, an eighth stage has been added to the chain, known as the maintenance stage. “This eighth stage is due to hackers worrying about other hackers infiltrating the systems they have attacked more so than being woried about you,” said Kellermann. “We’ve noticed they’ve moved command and control into your systems and network. We really have to move beyond the technologies we’ve used for years and achieve advanced persistent response.”

Kellermann also acknowledged some emerging threats on the cyberwarfare landscape, including:

  • professionalization and commoditization of exploit kits
  • modularization
  • increased sophistication with traffic direction systems
  • ransomware
  • new exploitation vectors introduced via html5
  • evolution of mobile threats
  • continued exploitation of social networks
  • metasploit
  • byod aka byom (bring your own malware)

He notes that although street crime is down 20%, that doesn’t mean there are less criminals, they’re just migrating to cyberspace. He points to Android malware and the fact that it “has exploded.” In a frightening example, he explains what cyber criminals are able to do with Androids now. “They can go into your phone and look at your calendar. They say, ‘I see on your calendar that you have a very important meeting on a certian day. During that meeting I’m going to turn on the microphone on your cell phone and at the same time hack into everyone’s phone who’s at that meeting.'”

As for Kellermann’s 2012 predictions, they aren’t pretty:

  • mobile malware will continue to explode
  • app attacks will increase
  • botnet migration
  • cloud attacks
  • web injection attacks

This is serious information that every company must take into consideration. Not every organization will have to deal with advance persistent threats, but every organization should be prepared using the theory of advanced persistent response.

Security and Risk Management as a Social Science

Posted on by

Here at the Gartner Security & Risk Management Summit, I sat in on a session regarding human behavior and it’s connection to information security. Tom Scholtz, an analyst with Gartner, started off with a statement many of us know to be true, but often forget.

“The single weakest link in the information security chain still remains the human being,” he said.

In Scholtz’s view we are increasingly coming to the realization that by focusing on individuals’ human behavior and how we can influence it, we can learn how to create a more secure environment. “By 2015, one out of four enterprises will use social and behavioral sciences techniques to drive cultural and behavioral change in their information security programs. Maybe understanding how individuals react differently will give us an understanding in improving our security measures.”

He advises that security professionals should start focusing on human behavior as a root cause rather than a symptom. “We need to understand how individuals react differently to risks and the controls to mitigate risks.”

The key issues regarding behavior and information security:

  1. How is the information security and risk management discipline evolving and what are the consequences?
  2. What are the parallels and overlaps with social and behavioral sciences?
  3. What strategies and tactics should information security and risk leaders adopt to exploit this evolution?

It is vitally important for organizations to consider these questions. But it may be better to seek answers from an outside source, in order to prevent group think. “Group think tends to polarize views,” said Scholtz. “If you have the same group of individuals who sit in the same office eight hours a day, they’re going to have similar attitudes towards things. We need to understand how those working environments pressurize people into beliefs which they might not have if it was a one-on-one basis or under a different work environment.”

So what kind of insights do we get from the social sciences? People react differently. To understand this is to become a pioneer in understanding human behavior and its importance in developing an ever-evolving information security program.