POPULARITY
3 episodes with information systems audit
![Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference](https://ivyfm.s3.amazonaws.com/i320/593906.jpg)
2 episodes with information systems audit
Level up your industry language by visiting www.riskeducation.org/insurtech to learn about a brand new self-paced course developed with BrokerTech Ventures: Introduction To Insurance for Insurtech Professionals. Douglas Ver Mulm is currently the Chief Executive Officer at Turris, a financial infrastructure platform for the insurance industry. Prior to this, Douglas was the Co-Founder & CEO at Stable Insurance, focusing on distribution and analytics for insurance in the shared/on-demand economy. With a background in law and economics/finance, Douglas has also served as a Volunteer Executive Director at InsurTech Association and as a Lead Mentor at Founders Network. Garrett Droege, CIC, CPCU, CLCS, CBIA, CWCA, CRIS serves as Senior Vice President and Director of Innovation and Digital Risk Practice Leader at IMA Financial. His role oversees IMA's national focus in the technology, and digital risk verticals (collectively called the Advanced Industries Specialty). He also co-manages IMA Labs, IMA's insurtech innovation, investment, and strategy with BrokerTech Ventures. Additionally, he is part of the founding team of IMA's web3Labs initiative and helped IMA become the first broker to build an insurance and risk management facility in the metaverse and issue the industry's first “proof of coverage” via blockchain/NFT. He serves on the Crypto.Chicks NFT Advisory Board and consults with several other NFT projects.Prior to his current role, he served as CEO/Executive Director of TechAssure Association, Inc., an international consortium of insurance agents/brokers specializing in technology-related risks. Garrett's expertise includes Errors & Omissions, Cyber, and Technology Risk Management. Additionally, he is a brokerage technology specialist – focused on InsurTech, AMS/BMS/CRM platforms, data mining, and client journey tech stack development. Garrett has designed complex insurance and risk management programs for some of the most sophisticated and diverse tech businesses in the country. These include firms in info tech, medical technology, telecommunications, new media and all types of digital risk and blockchain. Garrett is an alumnus of University of North Carolina at Wilmington and The Hartford School of Insurance. He was named to the Charlotte Business Journal's 40 Under Forty list and Insurance Business America's Young Guns of Insurance list. Garrett is routinely featured in national publications and media productions, including NPR's All Things Considered. He holds the esteemed Chartered Property Casualty Underwriter (CPCU) and Certified Insurance Counselor (CIC) industry designations, among others. He has been a featured keynote speaker for numerous organizations, including: Federal Bureau of Investigation, National Public Radio, CIO Magazine, Society of CPCU, Insurance Innovators, FinTech Association of Hong Kong, Net Diligence, Healthcare Information & Management Systems Society (HIMSS), Information Systems Audit and Control Association (ISACA), North Carolina Technology Association, Texas Blockchain Council and many more. Droege has been named three times to the Hot 100 List – a group of the top 100 insurance professionals that have “moved the industry forward” over the past 12 months. Garrett also serves as an advisor and mentor to several technology startup companies and has extensive relationships with global accelerator programs and investors. He is a frequent guest on business podcasts including: “The Insurance Guys”, Lowenstein Sandler's “Don't Take No For An Answer,” “InsurTech Geek Podcast,” “Beyond Insurance,” “A.I. Wisdom,” “The Insurance Coffeehouse,” has context menu Focusing exclusively on risk management and insurance professional development, the Risk & Insurance Education Alliance provides a practical advantage at every career stage, positioning our participants and their clients for confidence and success.
In this episode we are looking at a growing issue in the tech field: Burnout among cyber security professionals. A report shared by the Information Systems Audit and Control Association shows that 51% of people working in cyber security may leave their job in the next year because of stress.But it's not just the stress of protecting organisations that is having an effect on people's mental health in the sector. It's an area that led today's guest, cyber security expert Peter Coroneos, to set up Cybermindz.org - a not-for-profit to help address and prevent burnout in the cybersecurity industry. This is Technology Now, a weekly show from Hewlett Packard Enterprise. Every week we look at a story that's been making headlines, take a look at the technology behind it, and explain why it matters to organizations and what we can learn from it. Do you have a question for the expert? Ask it here using this Google form: https://forms.gle/8vzFNnPa94awARHMA About the expert: https://www.linkedin.com/in/petercoroneos/?originalSubdomain=auSources and statistics cited in this episode:Cybermindz.org: https://cybermindz.org/ISACA report : https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2023/volume-48/cybersecurity-and-burnout-the-cybersecurity-professionals-silent-enemy Statistics on the cyber security workforce: https://www.isc2.org/Insights/2023/11/ISC2-Cybersecurity-Workforce-Study-Looking-Deeper-into-the-Workforce-GapGlobal spending on cyber security: https://www.statista.com/outlook/tmo/cybersecurity/worldwide#revenueStudy into the mental health of cyber security professionals: https://www.tines.com/reports/state-of-mental-health-in-cybersecurity3D printed ‘skin' sensors: https://ieeexplore.ieee.org/document/10473193
Tech behind the Trends on The Element Podcast | Hewlett Packard Enterprise
In this episode we are looking at a growing issue in the tech field: Burnout among cyber security professionals. A report shared by the Information Systems Audit and Control Association shows that 51% of people working in cyber security may leave their job in the next year because of stress.But it's not just the stress of protecting organisations that is having an effect on people's mental health in the sector. It's an area that led today's guest, cyber security expert Peter Coroneos, to set up Cybermindz.org - a not-for-profit to help address and prevent burnout in the cybersecurity industry. This is Technology Now, a weekly show from Hewlett Packard Enterprise. Every week we look at a story that's been making headlines, take a look at the technology behind it, and explain why it matters to organizations and what we can learn from it. Do you have a question for the expert? Ask it here using this Google form: https://forms.gle/8vzFNnPa94awARHMA About the expert: https://www.linkedin.com/in/petercoroneos/?originalSubdomain=auSources and statistics cited in this episode:Cybermindz.org: https://cybermindz.org/ISACA report : https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2023/volume-48/cybersecurity-and-burnout-the-cybersecurity-professionals-silent-enemy Statistics on the cyber security workforce: https://www.isc2.org/Insights/2023/11/ISC2-Cybersecurity-Workforce-Study-Looking-Deeper-into-the-Workforce-GapGlobal spending on cyber security: https://www.statista.com/outlook/tmo/cybersecurity/worldwide#revenueStudy into the mental health of cyber security professionals: https://www.tines.com/reports/state-of-mental-health-in-cybersecurity3D printed ‘skin' sensors: https://ieeexplore.ieee.org/document/10473193
In this episode we are looking at a growing issue in the tech field: Burnout among cyber security professionals. A report shared by the Information Systems Audit and Control Association shows that 51% of people working in cyber security may leave their job in the next year because of stress.But it's not just the stress of protecting organisations that is having an effect on people's mental health in the sector. It's an area that led today's guest, cyber security expert Peter Coroneos, to set up Cybermindz.org - a not-for-profit to help address and prevent burnout in the cybersecurity industry. This is Technology Now, a weekly show from Hewlett Packard Enterprise. Every week we look at a story that's been making headlines, take a look at the technology behind it, and explain why it matters to organizations and what we can learn from it. Do you have a question for the expert? Ask it here using this Google form: https://forms.gle/8vzFNnPa94awARHMA About the expert: https://www.linkedin.com/in/petercoroneos/?originalSubdomain=auSources and statistics cited in this episode:Cybermindz.org: https://cybermindz.org/ISACA report : https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2023/volume-48/cybersecurity-and-burnout-the-cybersecurity-professionals-silent-enemy Statistics on the cyber security workforce: https://www.isc2.org/Insights/2023/11/ISC2-Cybersecurity-Workforce-Study-Looking-Deeper-into-the-Workforce-GapGlobal spending on cyber security: https://www.statista.com/outlook/tmo/cybersecurity/worldwide#revenueStudy into the mental health of cyber security professionals: https://www.tines.com/reports/state-of-mental-health-in-cybersecurity3D printed ‘skin' sensors: https://ieeexplore.ieee.org/document/10473193
This episode's Community Champion Sponsor is Catalyst. To virtually tour Catalyst and claim your space on campus, or host an upcoming event: CLICK HERE—Episode Overview:During this episode, we sit down with Dave Bennett, President and CEO of pCare, a visionary company leading the charge in patient engagement through digital and mobile technologies. With a storied history dating back 75 years, pCare has evolved from a TV rental business to a cutting-edge patient experience platform integrated with healthcare systems. Dave shares the profound impact of culture on technology adoption and the invaluable lessons learned during the pandemic. Join us as Dave highlights the power of digital transformation in healthcare and how it can improve patient outcomes and experiences. Get ready to be inspired by Dave's dedication to making a difference in the healthcare industry through pCare's work of elevating patient engagement. Let's go! Episode Highlights:pCare's evolution from a TV rental business to a leading patient engagement company with a 75-year history.The vital role of culture in successful technology adoption for meaningful patient engagement.Opportunities and challenges in healthcare's digital transformation, accelerated by the pandemic.Heartwarming pandemic stories: pCare facilitating patient and family connections.Dave's passion for healthcare impact and the call for collaboration to drive innovation in patient engagement. About our Guest: Dave Bennett's visionary approach to patient engagement, digital and mobile technologies, and IT integration ensure continuous innovation of the #1-KLAS ranked pCare platform and a company culture dedicated to delighting customers. Prior to joining pCare, Dave served in a variety of executive roles at ViiMed, GetWellNetwork and StayWell. Dave holds a CISM certificate from ISACA and is an active member of the Healthcare Information and Management Systems Society (HIMSS), The American Health Information Management Association (AHIMA), Information Systems Audit and Control Association (ISACA), and the American College of Healthcare Executives (ACHE)..Links Supporting This Episode:pCare website: CLICK HEREDave Bennett LinkedIn page: CLICK HEREpCare Twitter page: CLICK HEREMike Biselli LinkedIn page: CLICK HEREMike Biselli Twitter page: CLICK HEREVisit our website: CLICK HERESubscribe to newsletter: CLICK HEREGuest nomination form: CLICK HERE
Welcome to the "Secrets of #Fail," a new pod storm series hosted by Matt Brown. In this series of 2023, Matt dives deep into the world of failures and lessons learned along the way from high-net-worth individuals. Join Matt as he dives into the world of failures and lessons.Series: Secret of #FailDave Bennett's visionary approach to patient engagement, digital and mobile technologies, and IT integration ensure continuous innovation of the #1-KLAS ranked pCare platform and a company culture dedicated to delighting customers. Prior to joining pCare, Dave served in a variety of executive roles at ViiMed, GetWellNetwork and StayWell. Dave holds a CISM certificate from ISACA and is an active member of the Healthcare Information and Management Systems Society (HIMSS), The American Health Information Management Association (AHIMA), Information Systems Audit and Control Association (ISACA), and the American College of Healthcare Executives (ACHE). Get an interview on the Matt Brown Show: www.mattbrownshow.comSupport the show
GARRETT DROEGE, CIC, CPCU, CLCS, CBIA, CWCA, CRISGarrett Droege serves as Senior Vice President and Director of Innovation and Digital Risk Practice Leader at IMA Financial. His role oversees IMA's national focus in the technology, and digital risk verticals (collectively called the Advanced Industries Specialty). He also co-manages IMA Labs, IMA's insurtech innovation, investment, and strategy with BrokerTech Ventures. Additionally, he is part of the founding team of IMA's web3Labs initiative and helped IMA become the first broker to build an insurance and risk management facility in the metaverse and issue the industry's first “proof of coverage” via blockchain/NFT. He serves on the Crypto.Chicks NFT Advisory Board and consults with several other NFT projects.Prior to his current role, he served as CEO/Executive Director of TechAssure Association, Inc., an international consortium of insurance agents/brokers specializing in technology-related risks. Garrett's expertise includes Errors & Omissions, Cyber, and Technology Risk Management. Additionally, he is a brokerage technology specialist – focused on InsurTech, AMS/BMS/CRM platforms, data mining, and client journey tech stack development. Garrett has designed complex insurance and risk management programs for some of the most sophisticated and diverse tech businesses in the country. These include firms in info tech, medical technology, telecommunications, new media and all types of digital risk and blockchain. Garrett is an alumnus of University of North Carolina at Wilmington and The Hartford School of Insurance. He was named to the Charlotte Business Journal's 40 Under Forty list and Insurance Business America's Young Guns of Insurance list. Garrett is routinely featured in national publications and media productions, including NPR's All Things Considered. He holds the esteemed Chartered Property Casualty Underwriter (CPCU) and Certified Insurance Counselor (CIC) industry designations, among others. He has been a featured keynote speaker for numerous organizations, including: Federal Bureau of Investigation, National Public Radio, CIO Magazine, Society of CPCU, Insurance Innovators, FinTech Association of Hong Kong, Net Diligence, Healthcare Information & Management Systems Society (HIMSS), Information Systems Audit and Control Association (ISACA), North Carolina Technology Association, Texas Blockchain Council and many more.Droege has been named three times to the Hot 100 List – a group of the top 100 insurance professionals that have “moved the industry forward” over the past 12 months. Garrett also serves as an advisor and mentor to several technology startup companies and has extensive relationships with global accelerator programs and investors. He is a frequent guest on business podcasts including: “The Insurance Guys”, Lowenstein Sandler's “Don't Take No For An Answer,” “InsurTech Geek Podcast,” “Beyond Insurance,” “A.I. Wisdom,” “The Insurance Coffeehouse,” and more.
Cybersecurity and Information security are the most demanding career options in today's world. This comprehensive blog is curated to provide the key difference between Certified Information Security Manager (CISM) and Certified in Risk and Information Systems Control (CRISC) certifications, which are the highest earning IT certifications in the Information security domain. What is CISM? Certified Information Security Manager (CISM) is a professional certification accredited by the Information Security Audit and Control Association (ISACA) that validates the level of expertise in information security governance, incident management, program development and management, and risk management. It is an advanced certification mainly focusing on the enterprise's information security. What is CRISC? Certified in Risk and Information Systems Control (CRISC) is an advanced certification accredited by Information Systems Audit and Control Association (ISACA). It validates skills and knowledge in implementing risk management programs and best practices to identify, analyze, assess, prioritize, and respond to risks. This certification mainly focuses on enterprise IT risk management.
Ahoy! and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader. My name is G. Mark Hardy, and today we're going to -- talk like a pirate. ARRR As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. On today's episode we are going to talk about the 9 Cs of Cyber Security. Note these are not the 9 Seas that you might find today, the 19th of September, which happens to be the 20th annual International Talk like a Pirate Day. They are the nine words that begin with the letter C (but not the letter ARRR): Controls, Compliance, Continuity, Coverage, Complexity, Competency, Communication, Convenience, Consistency. Please note that this talk is inspired by an article by Mark Wojtasiak from Vectra, but we have modified the content to be more aligned with our thoughts at CISO Tradecraft. Now before we go into the 9 Cs, it's important to understand that the 9 Cs represent three equal groups of three. Be sure to look at the show notes which will link to our CISO Tradecraft website that shows a 9-box picture which should make this easier to understand. But if you're listening, imagine a three-by-three grid where each row corresponds to a different stakeholder. Each stakeholder is going to be concerned with different things, and by identifying three important priorities for each, we have our grid. Make sense? Okay, let's dig in. The first row in our grid is the focus of Executive Leaders. First, this group of executives such as the CEO, CIO, and CISO ensure that the IT controls and objectives are working as desired. Next, these executives want attestations and audits to ensure that compliance is being achieved and the organization is not just paying lip service to those requirements. Thirdly, they also want business continuity. IT systems must be constantly available despite attacks from ransomware, hardware failures, and power outages. The second row in our grid is the focus of Software Development shops. This group consists of Architects, Developers, Engineers, and Administrators. First, they need to ensure they understand the Coverage of their IT systems in asset inventories -- can we account for all hardware and software. Next, developers should be concerned with how Complexity in their environment can reduce security, as these tend to work at cross-purposes. Lastly, developers care about Competency of their teams to build software correctly; that competency is a key predictor of the end quality of what is ultimately produced. The third and final row in our grid is the focus of Security Operations Centers. This group consists of Incident Handlers and Responders, Threat Intelligence Teams, and Business Information System Officers commonly known as BISOs. They need to provide clear communication that informs others what they need to do, they need processes and tools that enable convenience so as to reduce friction. Finally, they need to be consistent. No one wants a fire department that only shows up 25% of the time. So now that we have a high-level overview of the 9 C's let's start going into detail on each one of them. We'll start with the focus of executive leaders. Again, that is controls, compliance, and continuity. Controls- According to James Hall's book on Accounting Information Systems[i], General Computer Controls are "specific activities performed by persons or systems designed to ensure that business objectives are met." Three common control frameworks that we see inside of organizations today are COBIT, COSO, and ITIL. COBIT®, which stands for The Control Objectives for Information Technology was built by the IT Governance Institute and the Information Systems Audit and Controls Organization, better known as ISACA®. COBIT® is primarily focused on IT compliance, audit issues, and IT service, which should not be a surprise given its roots from ISACA® which is an Audit and Controls organization. Overall, COBIT® 2019, the latest version, is based on the following six principles[ii] (note that the prior version, COBIT® 5[iii], had five): Provide stakeholder value Holistic approach Dynamic governance system Governance distinct from management Tailored to enterprise needs End-to-end governance system COSO stands for The Committee of Sponsoring Organizations of the Treadway Commission. Their latest version is the 2017 Enterprise Risk Management - Integrated Framework, which is designed to address "enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment.[iv]" COSO states that internal controls are a PROCESS, effected by leadership, to provide reasonable assurance with respect to effectiveness, reliability, and compliance[v]. The framework consists of five interrelated principles[vi]: Governance and culture Strategy and objective-setting Performance Review and revision, and Information, communication, and reporting To support these principles, COSO defines internal controls as consisting of five interrelated components: Control environments, Risk Assessments, Control Activities, Information and Communication, and Monitoring Activities. The third framework is ITIL®, which stands for Information Technology Infrastructure Library. First published in 1989 (the latest update is 2019/2020), ITIL® is managed and maintained by AXELOS, a joint venture between the Government of the United Kingdom and PeopleCert, which acquired AXELOS in 2021. According to their website[vii], "ITIL 4 is an adaptable framework for managing services within the digital era. Through our best practice modules, ITIL 4 helps to optimize digital technologies to co-create value with consumers, drive business strategy, and embrace digital transformation." (Talk about buzzword compliance). ITIL® 4 focuses on process and service management through service strategy, service design, service transition, service operation, and continual service improvement. What is interesting is that there is no third-party assessment of ITIL® compliance in an organization, only individual certification. At the end of the day an organization needs to pick one of these popular control frameworks and show controls are being followed. This isn't just a best practice; it's also required by Sarbanes Oxley. SOX has two sections that require control attestations that impact cyber. Section 302 requires corporate management, executives, and financial officers to perform quarterly assessments which: Evaluate the effectiveness of disclosure controls, Evaluate changes in internal controls over financial reporting, Disclose all known control deficiencies and weaknesses, and Disclose acts of fraud. Since financial services run on IT applications, cybersecurity is generally in scope for showing weaknesses and deficiencies. SOX Section 404 requires an annual assessment by both management and independent auditors. This requires organizations to: Evaluate design and operating effectiveness of internal controls over financial reporting, Disclose all known controls and significant deficiencies, and disclose acts of fraud. Once we understand the requirements for controls, we need to be Compliant. Compliance is the second C we are discussing today. Remember the CFO and CEO need to produce annual and quarterly reports to regulators such as the SEC. So, if you as a CISO can help them obtain a clean bill of health or fix previous audit findings, you help the business. A useful tool to consult in terms of compliance is a concept from the Institute of Internal Auditors known as the three lines model or three lines of defense[viii]. This model has as a foundation six principles: Governance Governing body roles Management and first- and second-line roles Third line roles Third line independence, and Creating and protecting value The first line of defense is the business and process owners who maintain internal controls. You can think of a software developer who should write secure software because there is an IT Control that says so. That developer is expected to run application security scans and vulnerability scans to find bugs in their code. They are also expected to fix these issues before releasing to production. The second line of defense are elements of an organization that focus on risk management and compliance. Your cyber team is a perfect example of this. If the developer doesn't fix the application vulnerabilities before sending code to production, then the company is at risk. Cyber teams generally track and report vulnerability findings to the business units to ensure better compliance with IT controls. Finally, the third line of defense is internal audit. Internal audit might assess an IT control on secure software development and say we have an issue. The developers push out bad code with vulnerabilities. Cyber tells the developers to fix, yet we are observing trends that the total vulnerabilities are only increasing. This systemic risk is problematic, and we recommend management comply with the IT controls by making immediate fixes to this risky situation. Now, other than the observation that the ultimate line of defense (internal auditors) is defined by the Institute of Internal Auditors (no conflict of interest there), note that internal auditors can report directly to the board. Developers and CISOs typically cannot. One of the most powerful weapons in an auditor's toolbox is the "finding." The U.S. Code defines what represents a finding[ix] in the context of federal awards, to include: Significant deficiencies and material weaknesses in internal control and significant instances of abuse Material noncompliance with the provisions of Federal statutes or regulations Known questioned costs, specifically identified by the auditor, greater than $25,000 for a type of compliance requirement Internal auditors have both a mandate from and access to the board to ensure that the organization meets compliance requirements. So, if you've been unsuccessful in getting funding for what you consider a critical security asset, maybe, just maybe, you casually point that out to the auditors so that it ends up in a finding. After all, findings get funded. Don't get caught, though, or you'll have some explaining to do to your boss who previously turned you down. Management cares a lot about Continuity. Remember, if the business is down, then it's not making money, and it's probably losing money by the hour. If the business isn't making money, then they can't pay for the cyber department. So, among your goals as a cyber executive is to ensure the continuity of revenue-generation services. To start, you must identify what those activities are and find ways to protect the services by reducing the likelihood of vulnerabilities found in those systems. You also need to ensure regular backup activities are occurring, disaster recovery exercises are performed, Business Continuity Plans are tested, and tabletops are executed. Each of these activities has the potential to identify gaps which cause harm to the continuity that executives care about. How do you identify revenue-generating elements of the business? Ask. But do your homework first. If you're a publicly traded company, the annual report will often break out lines of business showing profit and loss for each. Even if it's losing money today, it still may be vital to the organization. Think, ahem, about your department -- you're probably not making a profit for the company in the security suite, but your services are definitely important. Look at the IT systems that support each line of business and assess their criticality to the success of that business component. In today's digitized workplace, the answer will almost always be "yes," but since you don't have unlimited resources, you need to rack and stack what has to be protected first. A Business Impact Analysis, or BIA, involves meeting with key executives throughout the organization, assessing the importance and value of IT-supported business processes, ranking them in the order in which they need to be assured, and then acting on that knowledge. [I thought we had done an episode on BIA, but I checked back and couldn't find one. So, expect to learn more about that in a future episode.] Backups and disaster recovery exercises are a must in today's world of ransomware and surprise risks, but make sure that you're not just hand-waving and assuming that what you think is working really is working. Do what I call "core sampling" -- get with your team and dig way down until you reach some individual file from a particular date or can observe all logs collected for some arbitrary 5-minute period. It's not that that information is critical in and of itself, but your team's ability to get to that information quickly and accurately should increase your confidence that they could do the same thing when a true outage occurs. Lastly, tabletop exercises are a great way to ensure that your team (as well as others from around the organization, up to and including senior leadership) know what to do when certain circumstances occur. The advantage of tabletops is that they don't require much time and effort from the participants to go through emergency response procedures. The disadvantage of tabletops is that you risk groupthink when everyone thinks someone else took care of that "assumed" item. Companies have been caught flat-footed when the emergency diesel generator doesn't kick in because no one in the tabletop tests ever thought to check it for fuel, and the tank was empty. Things change, and there's nothing like a full-scale test where people have to physically go to or do the things they would in a true emergency. That's a reason why kids in school don't discuss what to do in a fire drill, they actually do what needs to be done -- get out of the building. Be careful here you don't have a paper tiger for a continuity plan -- it's too late when things start to come apart to realize you hadn't truly done your homework. Those are the three Cs for executives -- controls, compliance, and continuity. Now let's move on to developers. If you remember, the three Cs for developers are coverage, complexity, and competency. Developers need to care about Coverage. When we talk about coverage, we want to ensure that we know everything that is in our environment. That includes having a complete and up-to-date asset inventory, knowing our processes are free from security oversight, as well as ensuring that our security controls are deployed across all of our potential attack surfaces. "We've got your covered" is usually considered reassuring -- it's a statement that someone has thought of what needs to be protected. Specifically, our technical team members are the only ones who can generally tell if the IT asset inventory is correct. They are the ones who run the tools, update the agents (assuming we're not agentless), and push the reporting. If the scanning tools we use are missing hardware or software, then those gaps represent potential landing zones for enemy forces. The Center for Internet Security's Critical Controls start with these two imperatives. Essentially, if you don't know what you have, how can you secure it? Knowing our processes is key. For developers today, it's much more likely that they're using a DevOps continuous integration / continuous delivery, or CI/CD process, rather than the classic waterfall methodology. Agile is often an important part of what we do, and that continuous feedback loop between developer and customer helps to ensure that we cover requirements correctly (while being careful to avoid scope creep.) Throughout our development cycle, there are numerous places where security belongs -- the art we call DevSecOps. By putting all of our security processes into version control -- essentially automating the work and moving away from paper-based processes, we create a toolchain that automates our security functionality from pre-commit to commit to acceptance to production to operations. Doing this right ensures that security in our development environment is covered. Beyond just the development pipeline, we need to cover our production environment. Now that we've identified all hardware and software and secured our development pipeline, we need to ensure that our security tools are deployed effectively throughout the enterprise to provide protective coverage. We may know how many servers we have, but if we don't scan continuously to ensure that the defenses are running and up to date, we are effectively outsourcing that work to bad actors, who fundamentally charge higher billing rates than developers when they take down critical systems via ransomware. In his book Data and Goliath, Bruce Schnier wrote, "Complexity is the worst enemy of security, and our systems are getting more complex all the time.[x]" Complexity is inversely correlated to security. If there are two hundred settings that you need to configure properly to make containers secure, that's a big deal. It becomes a bigger deal when the team only understands how to apply 150 of those settings. Essentially, your company is left with fifty opportunities for misconfiguration to be abused by bad actors. Therefore, when possible, focus your understanding on how to minimize complexity. For example, instead of running your own containers on premises with Kubernetes, try using Amazon Elastic Container Services. There's a significant amount of configuration complexity decrease. In addition, using cloud-based services give us a lot of capabilities -- elastic scaling, load balancers, multiple regions and availability zones, and even resistance to DDoS attacks. That's a lot of overhead to ensure in a high-availability application running on servers in your data center. Consider using AWS lambda where all of that is already handled as a service for our company. Remember that complexity makes security more difficult and generally increases the costs of maintenance. So only increase complexity when the business benefit exceeds the costs. From a business connectivity perspective, consider the complexity of relationships. Many years ago, data centers were self-contained with 3270 green screens (or punched card readers if you go back far enough) as input and fan-fold line printer generated paper as output. Essentially, the only connection that mattered was reliable electrical power. Today, we have to be aware of what's going on in our industry, our customers, our suppliers, consumers, service providers, and if we have them, joint ventures or partners.[xi] This complex web of competing demands stretches our existing strategies, and sometimes rends holes in our coverage. I would add to that awareness, complexity in our workforce. How did COVID-19 affect your coverage of endpoints, for example? Most work-from-home arrangements lost the benefit of the protection of the enterprise security bubble, with firewalls, scanners, and closely-manage endpoints. Just issuing a VPN credential to a developer working from home doesn't do much when junior sits down at mom's computer to play some online game and downloads who-knows-what. Consider standardizing your endpoints for manageability -- remove the complexity. When I was in the Navy, we had exactly two endpoint configurations from which to choose, even though the Navy-Marine Corps Intranet, or NMCI, was the largest intranet in the world at the time. Although frustrating when you have to explain to the admiral why his staff can't get fancier computers, the offsetting benefit is that when an emergency patch has to get pushed, you know it's going to "take" everywhere. Number six is Competency -- another crucial skill for developers. If your organization doesn't have competent developers, then more vulnerabilities are going to emerge. So how do most other industries show competencies? They use a licensure and certification process. For example, teenagers in the United States must obtain a driver's license before they are legally approved to drive on their own. Nearly all of us have been through the process -- get a manual when you get a learner's permit, go to a driving school to learn the basics, practice with your terrified parents, and after you reach the minimum age, try not to terrify the DMV employee in the passenger seat. In the UK, the Driver and Vehicle Standards Agency recommends a minimum of 47 hours of lessons before taking the driving test, which still has only a 52% pass rate on the first attempt[xii]. Now ask yourself, is developing and deploying apps riskier than driving a car? If so, consider creating a Developer Driver's License exam that identifies when developers are competent before your company gives them the SSH keys to your servers. Before your new developer sits for the exam you also need to provide the training that identifies the Rules of the Road. For example, ask: When a new application is purchased, what processes should be followed? When are third party vendor assessments needed? How does one document applications into asset inventory systems and Configuration Management Databases? If you can build the Driver's Education Training equivalent for developer and measure competency via an exam, you can reduce the risk that comes from bad development and create a sense of accomplishment among your team. So, to summarize so far, for executives we have controls, compliance, and continuity, and for developers we have coverage, complexity, and competency. It's now time to move to the last three for our security operations center: clarity, context, and community. The seventh C is Communication. Let's learn from a couple quotes on effective communication. Peter Drucker said, “The most important thing in communication is hearing what isn't said.” When you share an idea do you look at the person you are informing to see if they understand the idea? What body language are you seeing? Are they bored and not facing you, are they engaged and leaning in and paying close attention, or are they closed off with arms crossed? We've probably all heard the term "active listening." If you want to ensure the other party understands what you're saying (or if you're trying to show them you understand what they are saying), ask the listener to repeat back in their own words what the speaker has just said. You'd be amazed how few people are needed to play the game of "telegraph" and distort a message to the point it is no longer recognizable. George Bernard Shaw said, “The single biggest problem in communication is the illusion that it has taken place.” When you present a technical topic on a new risk to executives, ask questions to ensure they understand what you just shared. If you don't do so, how do you know when you might be overwhelming them with information that goes right over their heads. There's always the danger that someone will not want to look stupid and will just nod along like a bobblehead pretending to understand something about which they have absolutely no clue. Richard Feynman had said, "If you can't explain it to a six-year-old, you don't understand it yourself." Well, let me offer G Mark's corollary to that quote: "If you can't explain it to a six-year-old, you can't explain it to your board." And sometimes the big boss. And sometimes your manager. And sometimes your co-worker. Ask for feedback; make sure the message is understood. Earl Wilson said, “Science may never come up with a better office communication system than the coffee break.” When you want to launch a really important initiative that needs group buy-in, did you first have one-on-ones to solicit feedback? Did you have an ear at the water cooler to understand when people say yes but really mean no? Do you know how to connect with people so you can ask for a favor when you really don't have the resources necessary to make something happen? Unless you are in the military, you can't issue lawful orders to your subordinates and demand that they carry them out. You have to structure your communication in such a way that expectations are made clear, but also have to allow for some push-back, depending on the maturity of the relationship you've developed with your team. [War story: Just this past week, Apple upgraded to iOS 16. We use iPhones exclusively as corporate-issued handsets, so I sent a single sentence message to my senior IT team member: "Please prepare and send an email to all who have an iPhone with steps on how to update the OS soonest. Thank you." To me, that seemed like clear communication. The next day I get a response, "People are slowly updating to 16.0 on their own and as the phone prompts them." After a second request where I point out "slowly" has not been our strategy for responding to exploitable security vulnerabilities, I get a long explanation of how Apple upgrades work, how he's never been questioned in his long career -- essentially the person spent five times as much time explaining why he will NOT do the task rather than just doing it. And today 80% of the devices are still not updated. At times like this I'm reminded of Strother Martin in Cool Hand Luke: "What we have here is failure to communicate." So, my lesson for everyone is even though you think your communications are crystal clear, they may not be perceived as such.] Our last quote is from Walt Disney who said, “Of all our inventions for mass communication, pictures still speak the most universally understood language.” If you believe that pictures are more effective than words, think about how you can create the best pictures in your emails and slide decks to communicate effectively. I remember a British officer who had visited the Pentagon years ago who commented, "PowerPoint is the language of the US military." I think he's right, at least in that context. Ask yourself, are pictures part of your language? Convenience is our eighth C that we are going to talk about. How do we make something convenient? We do it by automating the routine and removing the time wasters. In terms of a SOC, we see technology in this space emerging with the use of Security Orchestration, Automation, and Response, or SOAR technologies. Convenience can come in a lot of ways. Have we created helpful playbooks that identify a process to follow? If so, we can save time during a crisis when we don't have a minute to spare. Have we created simple processes that work via forms versus emails? It's a lot easier to track how many forms have been submitted and filter on field data versus aggregating unstructured emails. One thing you might consider as a way to improve convenience are Chatbots. What if someone could ask a Chatbot a Frequently Asked Question and get a quick, automated, and accurate response? That convenience helps people, and it saves the SOC time. If you go that route, as new questions get asked, do you have a way to rank them by frequency and add them as new logic to the chatbot? If you do, your chatbot gets more useful and provides even greater convenience to the workforce. How great would it be to hear your colleagues saying it was so convenient to report an incident and see that it was handled in such a timely manner. Find ways to build that experience and you will become the partner the business wants. Last, but not least, is the 9th C of Consistency. Want to know how to create an audit finding? Try not being consistent. Auditors hate that and love to point out inconsistencies in systems. I'm sure there are auditors right now listening to this podcast smiling with joy saying, "yup, that's me." Want to know how to pass every audit standard? Try passing the CARE Standard for cyber security. CARE is a Gartner acronym that means Consistent, Adequate, Reasonable and Effective. Auditors look at the Consistency of controls by performing tests to determine if the control is working the same way over time across the organization. Auditors also look for Adequacy to determine if you have satisfactory controls in line with business needs. Auditors ensure that your practices are Reasonable by identifying if there exist appropriate, fair, and moderate controls. Finally, auditors look at Effectiveness to ensure the controls are producing the desired or intended outcomes. So, in a nutshell, show Auditors that you CARE about cyber security. Okay, let's review. Our nine Cs are for executives, developers, and SOC teams. Executives should master controls, compliance, and continuity; developers should master coverage, complexity, and competency; and SOC teams should focus on clarity, communications, and consistency. If you paid careful attention, I think you would find lessons for security leaders in all nine boxes across the model. Essentially, don't conclude because boxes four through nine are not for executives that you don't need to master them -- all of this is important to being successful in your security leadership career. Well thanks again for listening to the CISO Tradecraft podcast as we discussed the 9 C's. And for International Talk Like a Pirate Day, I do have a rrr-request: if you like our show, please take a few seconds to rate us five stars on your favorite podcast provider. Another CISO pointed out to me this past week that we came up first on Spotify when searching for C-I-S-O, and that's because those rankings are crowd-sourced. It's a great way to say thank you for the time and effort we put into our show, and I thank you in advance. This is your host G. Marrrrk Hardy, and please remember to stay safe out there as you continually practice your CISO Trrrradecraft. References https://www.vectra.ai/blogpost/the-9-cs-of-cybersecurity-value https://en.wikipedia.org/wiki/Information_technology_controls https://www.isaca.org/resources/cobit https://www.apexgloballearning.com/cobit-vs-itil-governance-framework-company-choose-infographic/ https://www.slideshare.net/alfid/it-control-objectives-framework-a-relationship-between-coso-cobit-and-itil https://internalaudit.olemiss.edu/the-three-lines-of-defense/ https://www.linkedin.com/pulse/15-quotes-effective-communication-jim-dent-lssbb-dtm/ https://www.gartner.com/en/articles/4-metrics-that-prove-your-cybersecurity-program-works?utm_medium=socialandutm_source=facebookandutm_campaign=SM_GB_YOY_GTR_SOC_SF1_SM-SWGandutm_content=andsf249612431=1andfbclid=IwAR1dnx-9BqaO8ahzs1HHcO2KAVWzYmY6FH-PmNoh1P4r0689unQuJ4CeQNk [i] Hall, James A. (1996). Accounting Information Systems. Cengage Learning, 754 [ii] https://www.isaca.org/resources/news-and-trends/industry-news/2020/cobit-2019-and-cobit-5-comparison [iii] https://www.itgovernance.co.uk/cobit [iv] https://www.coso.org/SitePages/Enterprise-Risk-Management-Integrating-with-Strategy-and-Performance-2017.aspx [v] https://www.marquette.edu/riskunit/internalaudit/coso_model.shtml [vi] https://www.coso.org/Shared%20Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf [vii] https://www.axelos.com/certifications/itil-service-management/what-is-itil [viii] https://www.theiia.org/globalassets/site/about-us/advocacy/three-lines-model-updated.pdf [ix] https://www.law.cornell.edu/cfr/text/2/200.516 [x] https://www.goodreads.com/quotes/7441842-complexity-is-the-worst-enemy-of-security-and-our-systems [xi] https://www.pwc.com/gx/en/issues/reinventing-the-future/take-on-tomorrow/simplifying-cybersecurity.html [xii] https://www.moneyshake.com/shaking-news/car-how-tos/how-to-pass-your-uk-driving-test
Episode Main Points:1) Being true to yourself starts early2) Having a mentor to guide you is healthy3) There is so much that we don't understand about cybersecurity, more education is needed4) Being a black unicorn is important to acknowledge and embrace and bring other black unicorns together is need for our collective good. 5) a herd of unicorns is called a blessing.Octavia Howell Bio:Octavia is an experienced technical leader who specializes in Networks, Cyber Security, and building operationally excellent, motivated cross-functional, multi-cultural teams. She is focused on career growth and helping everyone she encounters reach their career goals. Octavia is not your typical leader. She is highly technical and prides herself on understanding, solving problems, and discovering secure solutions for her business partners. She currently serves as an Information Security Officer for Equifax’s largest business unit. She is also the Founder and CEO of Augustus Redefined, an organization focused on the advancement of Black Women in Cyber. Octavia believes that a security leader should mentor, motivate trust, and lead their teams to act with integrity and openness. She often says, “A team is only as strong as their leaders and each leader casts a shadow that they will be held accountable for.”Octavia received a Bachelor of Science Degree in Computer Science and Mathematics from Spelman College and holds CISSP, GISP, GCWN and GSLC GIAC certifications. She is a member of Alpha Kappa Alpha Sorority, Incorporated, the Information Technology Senior Management Forum (ITSMF), Women in Technology (WiT), Women in Cybersecurity (WiCys), the International Consortium for Minorities and Cyber Professionals (ICMCP), the International Information Systems Security Consortium (ISC2), the Information Systems Audit and Control Association (ISACA), the Information Systems Security Association (ISSA), and serves as a mentor to several participants within Year-Up Greater Atlanta. In her spare time, Octavia enjoys traveling, spending time with her family, and mentoring. She truly believes that we are placed on this earth to help each other achieve greatness (whatever that may be).Website: www.augustusredefined.com--- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/appSupport this podcast: https://anchor.fm/stemminginstilettos/supportSupport the show (https://cash.app/$drtoshia)
On the eighth installment of our See It to Be It series, our amazing host Amy C. Waninger sits down to chat with Uso Sayers, CISA, an IT Audit Professional with over 14 years of public accounting experience who currently works as a managing director at Johnson Lambert LLP. Uso graciously shares a bit about how she got involved in public accounting and what about it appealed to her, and she names a couple organizations that help people of color feel supported and connected within the public accounting and IT audit field. She also discusses what surprised her about this work that she didn't expect going in, and she and Amy emphasize the importance of finding the place where you're different and going to listen.Connect with Uso on LinkedIn.Learn more about the National Association of Black Accountants.TRANSCRIPTAde: What's up, y'all? This is Ade. Before we get into Amy's episode, I wanted to share some advice on working remotely. For those of us who are impacted by COVID-19, more commonly known as coronavirus--or if you're not at all impacted by COVID-19 but you are working and transitioning into a more remote lifestyle--I just wanted to share six quick tips that you want to try out to work for you. I do want to say that I don't necessarily abide by all of these rules. I simply know that they are good things to follow based off of me implementing them at some point or another or folks who are better, smarter than me offering these things up as advice. So first and foremost, I would set up a strict calendar. By that I mean I would accept every invite for every meeting. I would have any break times that I wanted to schedule. If there's a point when you're working remotely where you have a cleaner or a plumber or you have a doctor's appointment, keep an updated calendar and make sure that you are updating your team, because it helps you work asynchronously across your team. If folks know that you're not gonna be available between the hours of 5:00 a.m. to 7:00 a.m. Eastern time because you're asleep, or some psychos are in the gym, it gives them an opportunity to not pester you while you're away but also think through some questions of how they may better utilize your time when you do get back online. My second tip would be to use check-ins with your co-workers. By that, I mean use your daily stand-ups [?]. Use your Slack team channels if that's a thing. Use those things to keep in contact with your teams, because it's very easy to lose perspective in a sense and lose empathy for your friends or for your coworkers if they're not constantly top of mind. So in that sense, I would remember, you know, team birthdays. Maybe establishing a Slack reminder that it's someone's birthday [and] you all should go drop a Happy Birthday gift in their messages. All of that to say [laughs] that if you can remember to treat your teammates as teammates, as people, not just, you know, an avatar on the other side of the conversation you're having about poorly deployed code, it makes for a better work environment, as distributed as it may be. Thirdly--and these also sort of go hand-in-hand, but I would say that you should over-communicate. This also kind of ties into your strict calendar. Over-communicate. Ensure that any time away from your desk, any planned work that you're gonna be working on, any roadblocks that you're having, you say those things before they become problems, because it's so much easier to kind of get ahead of the horse before it gets out of the table. I don't know if that's an idiom that people actually use anymore, [laughs] but I do think that it's important to ensure that folks aren't caught blindsided, that if you've been working on something and you're stuck on it, give people an opportunity to help you out, and give others the grace to see you where you are so that you don't foster resentment. It's much easier to get something done if you speak up about it sooner rather than later, and it's difficult. I know, for one, it's something that I've had my issues with, especially in situations where you are, you know, bound to your home. Reduce your stress levels and just ask for help. Actually there was one thing that I didn't mention at the top when I said "Set up a strict calendar." On your calendars, I also recommend that you put your self-cues. If you're someone like me who--I drink a lot of caffeine over the course of the day, and I recently spoke to a nutritionist who kind of reminded me that when you work asynchronously and when you consume a lot of caffeine, caffeine suppresses your appetite, and it causes you to fall into really unhealthy eating patterns. More often than not, when you find yourself at home throughout the day you get really comfortable--too comfortable sometimes--so I kind of encourage that you set up your calendar so that you have a routine, so that you're not just, you know, at home and not separating what is home from what is official work time. So when you're working from home, set up your calendar so that you have a routine. Have, you know, time for a shower, time for breakfast, time for the gym if that's something you do in the morning, so that you have a much more regimented schedule. And on your calendar as well, put in your hunger cues. If you're gonna eat at, I don't know, 7:00 a.m., if you're gonna eat breakfast or drink a smoothie at 7:00 a.m., it stands to reason that by maybe 11:00 you might need a small snack, so put a snack cue in your calendar. Maybe at 12:30 you're going to need your larger lunch. Put your lunch on your calendar. These things are important to help you establish a routine around your new lifestyle. Okay, we skipped back up to one, so I'm just gonna finish up with five and six. #5 is to protect your space. Whether it's that you need a physical demarcation of where work happens versus where life happens or if you're the sort of person who is able to, you know, keep up with the simultaneous demands of your work life and your home life, then it doesn't really matter where you work as long as work gets done. Just make sure you're protecting your space. Make sure that, if your close of business is 5:00 p.m., you're not allowing the fact that you work from home to have you check, you know, e-mails at 11:30 p.m. when you're supposed to be asleep. Ensure that you're protecting your space and establishing boundaries in that way, and help others understand and protect those things by communicating what your boundaries are. Just because we're working from home and we're mandated to work from home doesn't mean that my time after, you know, 5:30 p.m. is available to you, and if you see me online, mind your business. As far as you are concerned I am off work, unless it is a dire emergency. And then the sixth thing is don't forget to move. It's very easy, I know. I fell into the trap of eating inconsistently, over-indulging, under-indulging, such that after I had worked remotely for a while I realized that it was getting harder for me to, like, move physically, and it's easier to get ahead of that by simply incorporating movement into your day so that you don't develop back problems or spine problems or anything like that as far as your abilities may allow, but I also think that it's a good way to get out of the monotony and to inject some freshness and a fresh perspective into your day. If you just incorporate a quick 10-minute walk or maybe do some squats or, you know, whatever it may be that you can incorporate into your life to make your life easier, that is helpful and beneficial to you and obviously doesn't take away from you enjoying your day, I would say you should incorporate those things. I've been blathering on for a while. I hope these tips helped you out. Please let us know if there are any tips that work for you when you work remotely or asynchronously with your teams. That's it for now from me. Thank you so much for listening in. Next up you have Amy.Amy: Hi, Uso. Thank you for joining me.Uso: Hello, Amy. Good evening. It's my pleasure.Amy: Thank you. So I was wondering if you can tell me a little bit about your job as a tech auditor and how you got into that work.Uso: Okay, sure. So being in public accounting, I guess you could say I happened upon it. So I had an undergrad in accounting, and I was in grad school studying finance. Given that I had accounting background I figured, "Hey, finance will be a good thing that can, you know, supplement and complement my accounting degree." So I started doing that and I realized I really didn't like finance, so I added information systems as a second major. But doing that opened up--because this was back in 2002 to 2004 when Enron was happening, [?] was going down, so SOX became a big thing. I graduated in '04, and SOX--you know, filers had to be compliant with SOX in 2004, and--Amy: And SOX is the Sarbanes-Oxley legislation that sought to put some protections in place for consumers because companies were behaving very badly.Uso: Exactly. [laughs] I could not have said that better. And so most companies, especially large companies, were required to have IT audits performed. They had controls that they had implemented, and these controls needed to be validated. So that's kind of how I got into the [?] realm. Now, fast-forward 15 years, I'm still doing it because I absolutely love it. I love learning about companies and understanding their control structure so I, you know, can figure out how we can help them, how we can give them recommendations that they can implement.Amy: And when you talk about control structures, you mean things like separation of duties or checks on security so that the people who are accessing the system only have certain rights, the minimum rights that they need to do what they need to do and not extra stuff, right?Uso: Yes, exactly. So, you know, most of the company's financials come from one of the systems, and what was happening back in the day, one person can take a transaction through the system without anyone else touching that transaction. So I can create a vendor, I can pay that vendor. I can then determine where that check goes where that vendor, which leads to fraud or could lead to fraud--errors too, but fraud is one of the bigger reasons, because one [?] could pretend to be a vendor and the company never get any products or services, but I'm also the receiving clerk, so I can check off that this item that we've ordered has been received, and then I send the payment. Or I can even do it for myself, you know? Create some type of a dummy company with my address and then pay myself that way, and a number of companies actually lost money that way. But then there are also other ways outside of just fraud. You can have errors. You can also just have things that are--when you are developing code, and I know we're kind of getting into the technical realm, but when you're--and that's where a lot of errors could potentially happen, but when you're developing code you have the ability to determine how things are being calculated. So you can determine that 1 times 1 is equal to 100 versus 1, and if there aren't checks and balances in place to validate that 1 times 1 is 1, then, you know, the company could be losing money and not realize it. I always remember when I was in college, one of the things they always talked about was the [Lloyd fraudware?]. I think the guy changed one of the configurations by, like, a penny, and he was siphoning that to his own account, and I think he ended up getting millions of dollars.Amy: Oh, my gosh.Uso: You know, so now having--ensuring that the same person who is creating and developing the configuration is not the person who is making that configuration the final configuration in the system, or at least having somebody inserted to check it and make sure it's doing what the company thinks it's doing, you know? That's kind of what we call the control structure.Amy: Got you. Uso: Now, with cybersecurity, the security piece is getting focus. I think with SOX, this change management piece was the big deal then. Security was important, but now with cybersecurity and personal information and protecting that personal information, security is being put on the map so to speak.Amy: Mm-hmm, very good. So I know you got into this kind of a little by accident, because you were down the accounting path and then you just got interested in the IT side of things, but what surprised you about this work that you didn't expect before you got into it?Uso: It is interesting. You know, when you--at least I when I thought of accounting, I thought "boring." And, you know, finance to some extent, but then even though IT audit is not truly core IT, you have the ability to learn a lot about the technical side of what companies do, because before you can offer a company recommendation you have to understand what they have configured and what they have in place, what systems they have, what infrastructure those systems sit on, and then how they're securing their environment, how they're ensuring that, you know, they're protecting--another big area in the IT control realm is that [?] recovery. If we remember 9/11, a number of companies went under because all of their operations were in that building. You know, Tower 1 or Tower 2. They did not have any of that information backed up to a different location. Now we all have phones, and you'd be surprised to know how many people do not back up their pictures and their contact information outside of their phones. So the phone falls in some water, and that's all of their information. And so, you know, that's also one of the areas that we look at, because in 2018, 2019, there's still companies that do not back up data or do not back up frequently, which may sound surprising. [laughs] But it is true. And helping them understand why it's important, or understand why it's important to back it up to something other than the machine where you have the information or outside of the building where you have your information so that you can access it if something happened. You know, you might have people say, "Well, we're not in a [?] plane." Okay, but a pipe could burst. You know? So [laughs] the risks are still there, and, you know, we help companies understand what their risks are so that they can design controls, they can help them make [?] those risks.Amy: That's terrific. So a lot of computing is moving to the cloud, and how are you managing those same risks when the companies don't own the servers and the computers that the work is really being done on?Uso: So two things. The company now has to hold their service provider, that cloud provider, accountable, and they also are still accountable, because at the end of the day it's their data. It's their information. As a client of theirs, I gave them my information. I did not give the cloud my information. So when something happens, I go to the company that I gave my information to. So what companies are doing, there's something called a SOC report, Service Organization Controls report. So the cloud service providers have auditors come in and review their controls, and one of the reasons why the cloud service providers are so successful [is] because they're doing such a large-scale operation. They can afford to have, you know, the best auditors come in, validate their controls, and they can afford to put robust controls in place. So a lot of these companies--the larger cloud providers I guess I should say, because some of the smaller ones are not as sophisticated, but the larger ones, they have very robust controls in place, and they love to have auditors come in and look at it and try to tear it apart so that they can demonstrate that their controls are robust. And even those large companies have incidents happen, you know? That's why the Amazons of the world, they have data centers on both coasts and different places, because things happen, and for companies that do not have the infrastructure in place to support that in house, putting it on the cloud is probably the next best thing because it's going into a secure infrastructure. Now, where some companies think, "Oh, I just put it in the cloud. It's okay." You have to ensure--the cloud companies, in those SOC reports there's something called complementary user entity controls, and what that says is I have this gate, but you design the lock, and you design who has access to that lock. And companies don't realize that, so they think "Oh, it's in the cloud. It's okay," but no, there are those complementary user controls. If you are not doing those things, then the cloud service provider can say, "Well, we did what we're supposed to do, but they came in through the gate. We put up the fence of the infrastructure, but the people came through the gate because they didn't put a lock on the gate like they were supposed to." They will tell you what are the things--you know, they may say, you know, "You must authorize all users that are granted access," or for firewalls, the firewall is kind of the router, I guess, so to speak. I'm trying to find a good way to explain it, but the firewalls protect the network. So, you know, if you have internet traffic, it has to flow through the firewall. The firewall validates that this traffic is coming from a computer that's authorized before it can view your information. But you have to set up the firewall to do that. The cloud service provider is not configuring your firewall to tell which of your people can come in and view your information, and sometimes companies don't realize that. So it's easier, but you have to take the steps to also ensure that you're doing those things that you need to do.Amy: Thank you for that. So, you know, I think it's fascinating the way this role is changing in terms of IT and just all of the technology that's available and the way our platforms are changing. I grew up in IT back in the day, and it seems like this is a place that is ripe with opportunity for people just coming out of college or maybe even looking for a career change. What would you say to someone who's interested in learning more about whether or not they might be a fit for this industry? What kinds of resources are available to them to learn more?Uso: And this is tricky, 'cause I wish schools--and I think some schools are getting there, 'cause ideally the colleges will be providing guidance in this area because there's so many career opportunities in the IT field, even in public accounting. So even the traditional--you know, even the traditional accountant or auditor is different now. For the financial audit teams, they're adding data scientists and they're adding data analysts, so those are fields that maybe five to ten years ago, it wasn't a thing, and people may not know that. Even four years ago, some people entered school and that was not a career path, and now in your graduating years it's an opportunity. Project manager, you know? You know, if you're on the company side, project managers are in great demand. Certified information systems security professionals, you know? They're in great demand. It can be intimidating, but Google's probably the best place to start because that usually has the most updated information. I can tell you a number of universities, and, you know, when you look up careers in auditing or careers in IT auditing, you'll see that it's no longer traditional just control management. There are risk management roles, security roles, the data roles like I said, and the data roles are becoming more and more important because of big data. You know, companies have all this data. Somebody has to analyze that data and assess it and determine, you know, how can we use it. Even for auditors, you're getting information from a company, you want to know if there's all of the information that I need. So let's say you're auditing an insurance company [and] you get a list of claims. You have to performance procedures to ensure that that list of claims has all of the claims that you wanted to see for the period of time that you wanted to see it. So you may see "I need to see all claims for 2018 over a million dollars." Well, how do you know that this report that they gave you has all this information on it? You have to do some type of validation procedures to get comfortable that the information on the report is complete and then do your auditing procedures to, you know, understand and test the accuracy of it. A lot of times also the bigger firms--so in public accounting the big four firms and some of the larger public accounting firms, they also have a lot of info on their website that can potentially help. But again, that may be skewed to their company. So I would say start with just, you know, a broad search on Google depending on what aspect of IT you're interested in and then kind of use--you know, I always go for a known site. So, like, if I'm Googling something and I see Harvard is in the top six, I probably will click on the Harvard Business Review's point of view and read there first before going to the next thing, 'cause there's some things that make you go like, "Hm, I don't know." [both laugh]Amy: So what about for people of color in this industry? I would imagine that there's a predominance, especially in management ranks and probably in some of the bigger companies--I know a lot of the bigger companies are really committed to diversity initiatives, but I would imagine that it's common for a person of color who goes into this work to be the only on their team or the only in their department. What resources or organizations are available in this industry so that people can feel supported, feel like they have a community in this space?Uso: Right, yeah. And it's interesting. So public accounting generally, yes, is still pretty traditional, all white male, but I noticed the IT audit side is very diverse. It's very interesting, because I think it's one of those areas where your skill--yes, politics play a part, but your skill set is needed and your skill set is valued and respected. And there are an number of resources. Most of the bigger firms have affinity groups that, you know, they're either women's groups, groups that are by race, and then even for sexual and gender-type diversity, there are groups for that. And then outside of the firms there are also various groups. You know, there's Women in Technology. There's the National Association of Black Accountants. There's the National Society of Black Engineers. There are a number of affinity groups that are out there that focus on helping minorities 1. connect with each other and 2. be exposed to the resources and development that they need in order to progress in their organizations, and it's one of those things where I personally feel like it's--when I started in public accounting, I was a member of the National Association of Black Accountants, and I felt like that really helped me to 1. understand what it takes to be a professional. It helped me to expand my network, because I got to meet not only people in my firm, but also people in other firms. I got to meet professionals at my level, professionals that were higher than me, professionals that were my gender, my race also outside of that, and that really helped me to have a wider view, a wider point of view and different points of view, as I progressed through my career. Some people feel as though these groups sometimes hinder your career, and I say it only does that if you're not being smart about how you're using your time. Because sometimes I think people only use this opportunity for social networking. They don't use it for any technical development. They don't use it to help auditors--like, one of the errors I have focused on as I was coming up in my career was the development of [?] students. So things that I learned, I would go back and present on campus or, you know, in that I was director of student [?] services, so, you know, help them build some of the governance documents, and even talk to some of the professors about some of the things that I'm seeing and things that they should be implementing and instilling in their students. So I'm a firm believer in it. Now, I can tell you that my white counterparts will always be like, "Well, why do we need a group for black people? What would happen if we had a group for white people?" It's like, "Kind of technically we do." [laughs]Amy: [laughs] Kind of all the groups are for white people unless they're saying specifically that they're not.Uso: Yeah, 'cause I think sometimes you get discriminated against. You know, people don't want to do it because they don't want to say that "I'm in this group," that, you know--and the group may be, you know, black or Latino or whatever in the name. There's alpha. There's also the [?] for the Asians, but even though the groups have that in their name, we welcome everyone, because we realize that we need that perspective from, you know, the white male manager, the white female manager, because they're the ones that can help us understand what their points of view are, and then we can also help them, because sometimes they realize, "Oh, wait. My view might be skewed," or "I was never exposed to anyone outside of my town, my city, my race," you know? So usually it's a two-way learning experience.Amy: So I want to put a really fine point on that, because I always tell people, "Go to the conference that's not for you. Show up at the meeting that's not for you. If you're at a conference, go to the breakout where you're not on the menu." Right? Like, find the place where you're different and go listen, because I think it's important for people--you know, the same person who says, "Why do we need an association of black accountants?" That's the person that needs to go to the meeting to listen, to learn why they need associations of black accountants, right? They have no ideas what kinds of barriers are in place for people who don't look like them, and so, you know, I always challenge people and they say, "Well, yeah, but, you know, how do I even learn about this?" Go sit down in the back of the room, don't raise your hand, take notes, pay attention, and--"What if someone asks me what I'm doing there?" And I say, "Tell them you're there to learn, and then zip it." [Uso laughs] Like, nobody's going to ever get mad at you because you want to learn more about their experience, right? So thank you for being on that train with me.Uso: And I've had people who have said being in that room where they were the only really opened their eyes, because they're sitting there and they're like, "Oh, my goodness. I'm so uncomfortable." And then they start realizing, like, "This is so-and-so from my group who is the only. This is probably how they feel." And I think sometimes that's such good advice to give, because going out there and experiencing, there's nothing that compares to that. Hearing second-hand about it, I don't think you could fully appreciate it. I also liken it to parenthood, you know? Before you have a child, you have all of these things that you know exactly how to raise a child, how a child should behave, everything, and then you have yours and you're like, "Oh, my goodness. This is not anything like I thought it would be. I can't control my child. My child runs wherever." You know, you can't keep up, and you start to appreciate parents more because you realize how difficult it is to be a parent. So sometimes you do have to sit in that person's shoes so you can understand what they experienced.Amy: Yeah, absolutely. And it's so funny because I--yeah, I think my kids--on that point, I think each one of my kids exists for the sole purpose of proving me wrong on something I said before I had children. [both laugh] I don't want to get off-topic, but yes, you are right about that. It is so much easier to be a good parent before you have kids. But I think for a lot of people, you know, that self-awareness and that self-consciousness that they feel for the first time, you know, people can go a long way through their lives with never having that kind of moment where they have to be self-aware and they feel very self-conscious, and when they realize in that moment that other people have felt that way for, you know, 25, 30, 45, 50 years, right, in their careers, and, you know, I think there's just an amazing amount of empathy that can happen in those epiphanies. So I'm so glad to hear someone else say, "Come to the meeting."Uso: Yes, it's so important. And you can never, never not benefit from being there. It will be uncomfortable. I cannot promise you that it won't be uncomfortable, because people will probably look at you like, "Hm. Is she [?]?" "Do I have to be careful what I say?" Because sometimes, you know, people do--in some of these meetings, people do get a level of comfort where they share openly, and sometimes when there's somebody in the group that's of that group that they're talking about they may not share as comfortably, but you need to be there. You need to understand some other things that people see. And I always, even to my colleagues and black friends, I'm like, "You have to also look on the other side." So some of them, you know, yes, at work we're usually only, but sometimes going to some of these other conferences and understanding the expectations can help us also. So I have always tried to go to my NABA conference, but I also go to my ISACA conference, which is, you know, the Information Systems Audit and Control Association, which governs the work I do, and now that I'm in the insurance industry I go to the, you know, insurance accounting and systems association conference because I want to develop the technical knowledge and the technical skills so that I can have those conversations and be comfortable. I mean, you start to realize there are some people who are just idiots and that's just who they are, but more and more when you go out and meet other people, you realize that getting people and having them learn a little about you and you learn about them breaks down some of those barriers, because a lot of things are just perception. They're not reality. They don't really just hate you because you're a black woman, you know? Sometimes they just--they don't know what to say to you, and for me it's a little harder because am I a black woman, I'm a black woman from a different country. [laughs] So some of the things that are culturally acceptable and expected, I don't always know about it, and my friends always--you know, they gave me the whole "Bless your heart" kind of thing [laughs]. There's some things that I just don't know, but I am not afraid to learn. I am not afraid to learn, and I'm always going out there so that I can learn and develop and become a better person.Amy: I think that's fantastic. So you and I had talked before about--I'm gonna switch gears a little bit on you, but you and I had talked before about how each of us, you know, people in general, we kind of contribute to the de facto segregation and the narrowing of our own professional networks and our own communities and, you know, only hanging out with people who are just like us until we had that moment when we realized, "Oh, my gosh. I've done this to myself and I didn't even realize it," and I was wondering if you could share a little bit about your experience with that.Uso: Sure. So when I moved to the U.S. and I started my public accounting career I was in New York, and I remember my first time going to training. It was, let's say, 2,000 professionals, and the black professionals were a very small group there. We were there for two weeks. The first few days, I would always go find my friends and, you know, go sit at that table, and I don't remember if somebody said something to me, I don't remember what it was, but one day I decided, "You know what? Let me just go sit at one of these tables," and I can tell you, I mean, of those 2,000 people, if we had 100 people who were not white, that probably was a large amount. So, you know, I'll go a little bit off-topic for a second. I always hear people say, you know, "Oh, is that so-and-so?" And they may take you for somebody else, and then black folks will be like, "Why do they think we all look alike?" Being in that room, like, there were, like, so many guys that, to me, I couldn't tell who was Joe from Jim from Bob. [That] made me, like, really understand how it is that we can all look alike, but side-note. But being in there and looking around and seeing all of these different people, you know, I thought "Let me go sit from people who are not from New York, who are not black, who I've never met before." So I started, for lunch and dinner breaks, just going to sit at random tables with people that I had not met before. You know, I developed relationships. I met people who I was so similar to that, you know, it was very interesting. And after that, even at work, you know, I started having conversations, and I remember I was on a team once, and then--you know, I always said that if you heard the conversations and the things we talked about as a team or the shows that we watch, the music we listen to, and people just told you the thing and you had to map it to the person, you would get it wrong, because the person who could quote the movie Friday was not the black girl on the team, and the person whose favorite movie was Pretty Woman was not the white girl on the team, you know? And that's when I started realizing that we have a lot more similarities than differences, and the only way I got to know that was to step out of my comfort zone and go meet people that I had not met before and be uncomfortable. And it wasn't even--I mean, yes, at first, you know, it takes a little [?], but once you sit there, people are pretty friendly. There are some who are not as friendly, but for the most part people were friendly and willing to, you know, open up.Amy: Thank you for sharing that. You know, I think if we all start with just being a little uncomfortable at first, and then what used to be a little uncomfortable becomes comfortable, and then we start to be a little uncomfortable again, and pretty soon you build that muscle memory to where it's not all that uncomfortable anymore.Uso: Yep. And I'll share another story. I have two kids. I have an almost 9-year-old and a 6-year-old, and I remember when my son, who's the older one, was in preschool and we had to look for an elementary school, we looked at a number of schools. Private schools, public schools, charter schools, and one of the things that--I think he was in pre-K, and he was telling us about a friend in his class and something that he said, but he wanted to--so he told us the boy's name, but we didn't know--we didn't recognize the name, so we were like, "Oh, which one is this?" And he's like, "Well, the one that looks like people on TV," and we realized he didn't have, you know--'cause he had just started his new preschool, but before that, all of the years that he was in preschool, it was a predominantly black preschool. So he didn't have any white boys in his school, and then we started looking around and realizing that that was our network. So we made a concerted effort that wherever he goes to real school is going to be a diverse place, because he really shouldn't have to describe somebody based on what they look like on TV. He should know them, be able to relate to them, and have relationships with them, and it's so great now to see that he has such a diverse network and that I feel like I can't wait to see kind of what their future looks like, 'cause I think they will have a different perspective on diversity than we do, 'cause to them it's like, "That's just my friend." "That's not my white friend, that's not my black friend. That's my friend." Amy: Oh, I sure hope so. And I think there's another angle to that too, which is that it's sad that the representation that he sees on TV is so predominantly white.Uso: Different story, but yes. [both laugh]Amy: I didn't want to let that moment pass. I think that there's another lesson in there about media and representation and those sorts of things, but, you know, I'm grateful. I'm grateful for other parents out there who can, you know, self-reflect on the kinds of experiences and exposure that their kids are getting and say, "Oh, we need to be intentional about this. We need to be intentional about bringing more diversity and exposing our children to different types of people." I was wondering. I know that you have experience as a volunteer leader within some of the companies that you've worked in around bringing together diverse employees and their allies, and I was wondering if you could share a little bit about what drove you, what motivated you to do that work--which can be exhausting and thankless and on your own time and in addition to your day job--and also just a little bit about what you got out of that experience?Uso: Yep, sure. I think I've always had a servant/leader-type mentality, because growing up my dad always, for birthdays and holidays, took us to places where we could volunteer to help others. He was a baker, so we would bake, and then we would serve--you know, he'd take us to different homes. One was a children's home for children who had polio and then one was an old people's home. When I moved to the U.S., I first started volunteering at the library for people who couldn't read, and I realized--the thing that attracted me was this flier that said, "If you can read this you can help, because there are people who can't read this." And I was like, "Really?" And I met people who were over 21, all the way up to, like, 60, who couldn't read, and I'm talking about don't know that t-o-i-l-e-t is toilet. They just use the picture of the door to know that that's where they go to use the bathroom. In school I volunteered. [?] I used to help kids with homework, but once I got into the profession and I realized that there are opportunities 1. to network with others like myself, but also to help others in the firms, I loved it. I jumped at that opportunity. So I moved from New York to Indiana in my second year as a professional, and being in Indiana, I did not have a lot of others that looked like me in the firm. We didn't have enough to have, like, a black employees network, so we ended up in a multi-cultural circle, which was great because we had people from different parts of the world, different genders, different thought processes, and because we didn't have, like, black partners or Indian partners, our leaders were the white partners. So that really helped us 1. we got the support we needed, but 2. we were able to have conversations and understand what it took to grow in the firm. One of the things that I did was to organize these many--what did we call them? It was, like, Breakfast with a Leader. So each partner would meet with three to four professionals from the group for either lunch or breakfast and just get to know each other. That was so powerful, and I still have relationships with some of those people today even though I'm no longer with that firm. And, you know, one of my partners was always telling me about this client contact that he wanted me to meet, and, you know, people always tell you they want you to meet people, but when I finally met the person he wanted me to meet, the first thing the person said to me is "This guy really respects you. He has been telling me about you for the past year." And that--sometimes you don't realize that. You don't have that. You don't get that. You know, people will say whatever, but they don't follow up with their actions and match it, and so I think that whole experience, I still say that I think 1. if I stayed in Indiana I probably would still be with that firm, but that just really helped me to grow as a person, helped me understand my weaknesses, things I need to develop, helped me educate others on us as a group and help them see, you know, us as we are high-performing professionals just like everybody else. We just have differences, but those differences are not hindrances. So, you know, educating them and then educating ourselves. It was just a really powerful experience.Amy: That's breaking down the walls between you, right? And I think so many times people look--when they look mentor, they look for people who are just like them because that's what's the most comfortable. Not because there's any animosity, right, between them and another group or not because they harbor any ill will, just because they don't want to be uncomfortable with that first minute either, and so what you really did was you took away that discomfort and opened up--you know, opened up the channel for people to be mentored and, you know, for executives to find mentors that didn't look just like them, and that's powerful.Uso: Yep, it was very powerful, and it's really helpful because a lot of times you really do try to go to people who look like you, and one of the things that I've learned is you need people as mentors who have had similar experiences to you, but it doesn't matter what they look like. If you are a high-performing individual who is on the fast track in your company, it is very helpful for you to have a high-performing mentor, because having a mentor that may take, you know, three or five years less than you would take to get to a level, they may not understand what you need to do to get there because they didn't do that, but having a white mentor versus a black mentor probably won't make a difference to you, because what you need more is someone who has the technical capabilities and the connections to get you where you need to go, and I think people undervalue the need to have advocates, 'cause the advocates are the people who have the power to connect you and also sell you and get you to where you aspire to go. Having a mentor is great, but if your mentor does not advocate for you, you know, then you may not be getting the best out of that relationship, and I think sometimes why people try to build the relationship, the mentor-type relationship, with people who look like them is because they may have tried to develop a trusting relationship with someone who broke that trust, and then they associated that, breaking that relationship, with the person's race. No, that person is probably a person who would have broken somebody's trust regardless of who it is that they're mentoring. And yes, I do, you know, accept that there are people who haven't [?] somebody different. They may have acted differently, but I'm learning now that it's a smaller group of people. It's not as large a group of people as we think, and sometimes we generalize that one-off experience and kind of take the brush and paint the whole wall with it to say, you know, "All white men, you can't trust them because this is what happened to me," but you'll learn that sometimes you can trust people more than you think and a lot of the people who have helped me in my career have not looked like me. A lot of them were not my same gender, and, you know, they were very honest with me, and I think what was helpful was for me to be open-minded and receive information, 'cause what I've learned is sometimes we're not receptive to constructive feedback, and because of that we are not given the truth, so we don't really know the reason why we didn't make it to the next level. And a lot of times it's not just because of what we look like, but it's because of what our work output looks like. Which, you know, as we all know, there is no color there, you know? But if you don't know if your work is not of the quality that is, you know, expected of you, you may not know that you need to improve your work quality.Amy: That is true, and a lot of times we have to have trusting relationships to get good feedback. You have to build that relationship first so that people know that they can trust you with their feedback. How you receive feedback is so important as to whether you will get it a second time, and I tell people, don't punish the people who praise you, because if somebody's giving you a compliment, if somebody's telling you you did a good job and you belittle that praise, they're not gonna tell you next time, and you're not gonna know when you're on the right track, and you may hear something constructive that you don't want to hear, but if you can say, "Thank you for making me better. I'd like to think about that," even if you do nothing with it--if all you say is, "Thank you. I'd like to think about that," that goes so far in building a relationship with someone. And then if you do actually think about it and come back to them with questions later, even better, right? Because they know that you really have a desire to improve. So spot on. Oh, I love talking to you. [both laugh]Uso: And it is hard, 'cause you do not want to hear that you suck. [both laugh] You know? You don't, and I can tell you that I have received feedback that hurt me to my core, and I'm sure my facial expression and my reaction was not the most receptive, but I went away and realized, "Oh, my goodness. This is true," and one of the things that I had to realize--there is this one person who I had one shot to work with her, and I had come to her with a lot of praise and, you know, all of this stuff surrounding me, and I screwed up, and, you know, she had a lot of influence in what happened to my career that year, and I was mad, but then, you know--it took a while, but then I realized she only had one shot at me, and I screwed that shot up, you know? She didn't find all of the errors in my work. I put the errors there. I missed the stuff. But at the time it was happening it was not easy for me to realize that, you know? You have to really sometimes, like you said, just say, "Thank you for making me better," and go away and think about it and not just be like, "What? When? Where? How? What? I didn't--" You know? "Thank you for making me better." I like that. I think I'm gonna use that. [both laugh]Amy: So in the time that we have left, I'd love for you to answer--like, finish two of my sentences. The first one is, "I feel included when _______."Uso: I feel included when my opinions are asked and respected.Amy: And the second sentence is, "When I feel included, I ________."Uso: When I feel included, I am happy, and I'm usually looking for ways to help include others. Amy: Thank you so much, Uso.Uso: My pleasure. Thank you for the opportunity.Amy: This was so much fun, and I hope we get to talk again soon.Uso: I'm sure we will.Amy: All right.Uso: All right, take care.
In this episode Meredith Harper, CISO, discusses her career journey and pivotal roles on her path to CISO. Meredith speaks about her passions that have led her to where she is today and what drives her to keep challenging herself. She also shares tips on how she has navigated new roles and organizations to be successful as a leader. Tune in for an insightful discussion! Guest: Meredith Harper, CISOMeredith Harper serves as vice president and chief information security officer at Eli Lilly and Company. She is responsible for the company’s global information security program.Prior to joining Lilly in 2018 as senior director, deputy chief information security officer, Meredith served as chief information privacy and security officer at Henry Ford Health System, where she had ultimate responsibility for the protection of Henry Ford’s provider, insurance, retail and research businesses.Meredith is an active member of the Health Care Compliance Association and the International Association of Privacy Professionals. She holds dual certifications in healthcare compliance and privacy. She is certified as a HealthCare Information Security & Privacy Practitioner through the International Information System Security Certification Consortium Inc. and a Certified Information Security Manager through the Information Systems Audit and Control Association.She earned a master’s degree in health services administration and a bachelor’s degree in computer information systems from the University of Detroit Mercy. She also earned a master’s of jurisprudence in health law from Loyola University Chicago School of Law.Meredith serves on several advisory boards in support of empowering women and minorities to embark upon careers in technology, especially in information security. She has also served her community for 28 years through her Diamond Life membership in Delta Sigma Theta Sorority Inc.Host: Betsy HacklBetsy Hackl is a Senior Associate Information Security Assessor at Eli Lilly and Company. During her time at Lilly, Betsy was instrumental in creating the Information Security Third Party Risk Management program to combat one of Lilly’s top risks, “Insecure Third Parties”. In this role, Betsy works with business stakeholders to identify the highest risk Third Parties working with Lilly and determine the actions necessary to ensure our data and connections are secure. In addition to assessing third parties, Betsy also works on Merger, Acquisition and Divestiture deals, and is in the process of standing up an on-going monitoring program to continually monitoring third party organizations post-assessment. Prior to arriving to Lilly Betsy was a Senior Auditor at EY where she led the IT component of several SOX audits and created numerous SOC2 reports. She holds certifications in CISSP, CISA, GCED, GISP and CTPRP. Support the show (https://www.ewf-usa.com/)
Esta es la segunda y ultima parte de una muy interesante conversación con Sol Beatriz Calle D'Aleman, Doctora en derecho de software y propiedad intelectual; Ricardo Villegas Londoño y Alejandro Peláez Rodríguez tratan muchos temas sobre los aspectos legales y los nuevos retos que se imponen en un mundo cada vez mas global y conectado. De manera sencilla y amena se tocan aspectos como: desarrollo de software, retos de los empresarios, usuarios de aplicaciones y software, regulaciones Americanas, Europeas y Colombianas, entre otros muchos mas temas. Comparte este podcast, deja tus comentarios y escríbenos que temas quisieras escuchar en este espacio de Transformación Digital. Conduce: Ricardo Villegas Londoño email: r_villegas@hotmail.com Conduce: Alejandro Peláez Rodríguez, email: alejandropelaezr@gmail.com Invitado: Doctora Sol Beatriz Calle D'Aleman, email: solcalle@iustic.co Sobre la invitada Sol Beatriz Calle D'Aleman Practica profesional Abogada con Práctica en Derecho Comercial y Responsabilidad Civil Pasante invitada por la Central Crediticia Equifax Ibérica en Madrid (España) Fundadora del Centro de Propiedad Intelectual de la UPB Miembro de las listas de arbitraje de las Cámaras de Comercio de Medellín y Barranquilla Socia de la Firma Velasco & Calle D´Aleman Abogados https://www.velascocalle.co Formación Académica Abogada de la Universidad de Medellín Doctora Cum Laude en Derecho de la Universidad Externado de Colombia Magíster en Informática y Derecho de la Universidad Complutense de Madrid Especialista en Derecho Comercial de la UAB Multiplicadora del Programa del Banco Interamericano de Desarrollo en Resolución de conflictos Áreas de Practica Profesional como Consultor y Abogado Protección de Datos Personales Contratación de Tecnología Propiedad Intelectual Comercio Electrónico Cumplimiento de la Seguridad de la Información Incidentes de Seguridad y Delitos Informáticos Solución de Conflictos y Litigios en temas de tecnología Certificaciones Auditoria certificada en la Ley Orgánica de Protección de Datos Personales por la Universidad Rey Juan Carlos Participaciones en ONG Miembro del Capítulo ISACA Medellín ( Information Systems Audit and Control Association) Miembro de la International Association Privacy Professional – IAPP Producido por: Alejandro Pelaez Rodriguez Web site: https://www.apelaez.com/podcasts/transformacion-digitalBlog: https://www.apelaez.com/blogemail: alejandropelaezr@gmail.com Redes SocialesInstagram: https://www.instagram.com/alejandropelaezrYouTube: https://www.youtube.com/user/alejandropelaezrTwitter: https://twitter.com/apelaezFacebook: https://www.facebook.com/alejandropelaezr CreditosMusic by: Fontanez / Doug Maxwell - Urban LullabyFotografia: Juan Jose Alvarez Calle https://www.kreafoto.com
Esta es la segunda y ultima parte de una muy interesante conversación con Sol Beatriz Calle D'Aleman, Doctora en derecho de software y propiedad intelectual; Ricardo Villegas Londoño y Alejandro Peláez Rodríguez tratan muchos temas sobre los aspectos legales y los nuevos retos que se imponen en un mundo cada vez mas global y conectado. De manera sencilla y amena se tocan aspectos como: desarrollo de software, retos de los empresarios, usuarios de aplicaciones y software, regulaciones Americanas, Europeas y Colombianas, entre otros muchos mas temas. Comparte este podcast, deja tus comentarios y escríbenos que temas quisieras escuchar en este espacio de Transformación Digital. Conduce: Ricardo Villegas Londoño email: r_villegas@hotmail.comConduce: Alejandro Peláez Rodríguez, email: alejandropelaezr@gmail.comInvitado: Doctora Sol Beatriz Calle D'Aleman, email: solcalle@iustic.co Sobre la invitada Sol Beatriz Calle D'Aleman Practica profesional Abogada con Práctica en Derecho Comercial y Responsabilidad Civil Pasante invitada por la Central Crediticia Equifax Ibérica en Madrid (España) Fundadora del Centro de Propiedad Intelectual de la UPB Miembro de las listas de arbitraje de las Cámaras de Comercio de Medellíny Barranquilla Socia de la Firma Velasco & Calle D´Aleman Abogados https://www.velascocalle.co Formación Académica Abogada de la Universidad de Medellín Doctora Cum Laude en Derecho de la Universidad Externado de Colombia Magíster en Informática y Derecho de la Universidad Complutense deMadrid Especialista en Derecho Comercial de la UAB Multiplicadora del Programa del Banco Interamericano de Desarrollo en Resolución de conflictos Áreas de Practica Profesional como Consultor y Abogado Protección de Datos Personales Contratación de Tecnología Propiedad Intelectual Comercio Electrónico Cumplimiento de la Seguridad de la Información Incidentes de Seguridad y Delitos Informáticos Solución de Conflictos y Litigios en temas de tecnología Certificaciones Auditoria certificada en la Ley Orgánica de Protección de Datos Personales por laUniversidad Rey Juan Carlos Participaciones en ONG Miembro del Capítulo ISACA Medellín ( Information Systems Audit and ControlAssociation) Miembro de la International Association Privacy Professional – IAPP Music by: Fontanez / Doug Maxwell - Urban Lullaby Fotografía: https://www.juanjalvarez.comProducido por: Alejandro Peláez RodríguezPodcast URL: https://apelaez.podbean.com/Web site: https://www.avenetsa.comemail: alejandropelaezr@gmail.com
En una muy interesante conversación con Sol Beatriz Calle D'Aleman, Doctora en derecho de software y propiedad intelectual; Ricardo Villegas Londoño y Alejandro Peláez Rodríguez tratan muchos temas sobre los aspectos legales y los nuevos retos que se imponen en un mundo cada vez mas global y conectado. De manera sencilla y amena se tocan aspectos como: desarrollo de software, retos de los empresarios, usuarios de aplicaciones y software, regulaciones Americanas, Europeas y Colombianas, entre otros muchos mas temas. Comparte este podcast, deja tus comentarios y escríbenos que temas quisieras escuchar en este espacio de Transformación Digital. Conduce: Ricardo Villegas Londoño email: r_villegas@hotmail.comConduce: Alejandro Peláez Rodríguez, email: alejandropelaezr@gmail.comInvitado: Doctora Sol Beatriz Calle D'Aleman, email: solcalle@iustic.co Sobre la invitada Sol Beatriz Calle D'Aleman Practica profesional Abogada con Práctica en Derecho Comercial y Responsabilidad Civil Pasante invitada por la Central Crediticia Equifax Ibérica en Madrid (España) Fundadora del Centro de Propiedad Intelectual de la UPB Miembro de las listas de arbitraje de las Cámaras de Comercio de Medellíny Barranquilla Socia de la Firma Velasco & Calle D´Aleman Abogados https://www.velascocalle.co Formación Académica Abogada de la Universidad de Medellín Doctora Cum Laude en Derecho de la Universidad Externado de Colombia Magíster en Informática y Derecho de la Universidad Complutense deMadrid Especialista en Derecho Comercial de la UAB Multiplicadora del Programa del Banco Interamericano de Desarrollo en Resolución de conflictos Áreas de Practica Profesional como Consultor y Abogado Protección de Datos Personales Contratación de Tecnología Propiedad Intelectual Comercio Electrónico Cumplimiento de la Seguridad de la Información Incidentes de Seguridad y Delitos Informáticos Solución de Conflictos y Litigios en temas de tecnología Certificaciones Auditoria certificada en la Ley Orgánica de Protección de Datos Personales por laUniversidad Rey Juan Carlos Participaciones en ONG Miembro del Capítulo ISACA Medellín ( Information Systems Audit and ControlAssociation) Miembro de la International Association Privacy Professional – IAPP Music by: Fontanez / Doug Maxwell - Urban Lullaby Fotografía: https://www.juanjalvarez.comProducido por: Alejandro Peláez RodríguezPodcast URL: https://apelaez.podbean.com/Web site: https://www.avenetsa.comemail: alejandropelaezr@gmail.com
Interview with Brian Page, Global Account Executive with ISACA, attending RSA APJ Confernece from Chicago, USA. Founded in 1960 and previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, and has grown to have over 140,000 members and 190 worldwide chapters. Brian provides insight into the ISACA CYBERSECURITY NEXUS™ (CSX) TRAINING PLATFORM LABS: A performance based, live lab environment, where anyone can obtain cutting edge cybersecurity training. Students gain access to relevant labs in live environments without the use of emulation. Labs are hosted in the cloud, so students may access them from anywhere in the world so long as they have a web browser and internet connection. ISACA and MySecurity Media have a reseller agreement making the training available via the MySecurity Marketplace. Interview by Chris Cubbage, Executive Editor, MySecurity Media recorded 17 July 2019, RSA APJ Conference, Singapore. MySecurity Media were media partners to the event.
Barry Mathis is Principal – IT and Advisory Services at PYA. Barry has nearly three decades of experience in the information technology (IT) and healthcare industries as a CIO, CTO, senior IT audit manager, and IT risk management consultant. He has performed and managed complicated HIPAA security reviews and audits for some of the most sophisticated hospital systems in the country. “The resources in a rural health situation are obviously at times challenged so your solutions have to be sharp.” Barry is a visionary, creative, results-oriented senior-level healthcare executive with demonstrated experience in planning, developing, and implementing complex information-technology solutions to address business opportunities, while reducing IT risk and exposure. He is adept at project and crisis management, troubleshooting, problem solving, and negotiating. Barry has strong technical capabilities combined with outstanding presentation skills and professional pride. He is a prudent risk taker with proficiency in IT risk management, physician relations, strategic development, and employee team building. Barry is a member of United States Marine Corps, Health Care Compliance Association, Association of Healthcare Internal Auditors, Healthcare Information Management Systems Society and Information Systems Audit and Control Association. He was an Honor Graduate in Systems Programming from the United States Marine Corps Computer Sciences School (MCCDC) in Quantico, VA. He is a Certified COBOL Programmer, a Certified Database Management Specialist, and a Certified Cyber Security Framework Practitioner. Barry L. Mathis Principal – Information Technology & Advisory Services bmathis@pyapc.com (800) 270-9629 | www.pyapc.com
My guest this week is Riz Jan, the Vice President, Chief Information Officer at The Henry M. Jackson Foundation (HJF) For the Advancement of Military Medicine. Riz is a dynamic technology and security executive leading an extensive strategic digital transformation to simplify and modernize the technology architecture within HJF. In this interview, Riz and I focus on what it takes to be a great IT leader and the crucial investments you need to make in yourself. What I love about Riz's leadership philosophy that stems from his immigrant background is his no fear approach in taking risks. Listen to this episode to learn more about the role of legacy and making a positive impact as an IT leader. What you will learn from this is: The impact of fearlessness and stepping into the edge of your comfort zone in Riz’s ascendance from CISO to CIO. Ongoing learning and resilience as a leader. The role of having a vision of what your personal legacy will be and the imprint you will leave on people when you die. The power of Networking. The incredible role of mentors and surrounding yourself with great people. How application security can be your gateway to understanding the business and delivering tremendous value to it. How to work for strong leaders like 2 star generals. Important leadership skills like empathy, ‘water cooler’ and EQ skills. Stress management. Here are some other points of interest you will like from: What Riz learned as an immigrant and what formed him as a human being and as a leader. Why is it important to have “no fear” and taking risks as a leader? The importance of networking “the hell out of everyone” he learned in college @13:35 The ongoing learning: why you should be curious to learn about other people? @14:15 How being on application side of the house helped Riz learn and engage with “the business portion” of his organization @ 19:05 Why IT Leaders need to break out of the bubble of being an IT guru and engage with organization’s stakeholders and educate them on security @19:45 Ways application security helped Riz engage with the business: How to build a product solution for the business? What is the business trying to accomplish? What are you doing with the collected data and what do you want to get out of it? What is your end goal result? How are you going to improve the business by specific application or tool? Riz’s take on the mentors that “raised” him and why continuous mentor – mentee relationship is extremely important @ 22:20 Learn about Riz’s “Water cooler approach” to leadership @23:40 What does it take to be an IT leader under a two-star general? @27:58 Great advice from a two-star general on reporting about an issue: “I want to know 30% of why it happened and 70% of why it won’t happen” @29:10 How do you focus and deliver for a demanding leader? @31:55 Why a Project Manager is “kew to everything” when interacting with the business and what it takes to have a successful PM to implement a culture change@ 33:05 What Riz loves about the job and why he takes the time to re-invest and re-invigorate his team members @34:55 Retaining your IT talent with empathy, soft skills, and EQ skills @37:13 Leadership stress management : lifting, running, meditation, and Insight Timer App How to move IT security at the pace of your Business: IT Security has to be “baked” into the business @45:30 How to leave a legacy as an IT Leader: “Do something you really, really like and kickass in it at the end of the day.”@47:15 About Riz Jan Rizwan A. Jan, CISSP, PCIP, CTPRP, is the Vice President, Chief Information Officer at The Henry M. Jackson Foundation (HJF) For the Advancement of Military Medicine. Jan is a dynamic technology and security executive leading an extensive strategic digital transformation to simplify and modernize the technology architecture within HJF. He has developed an IT roadmap with a healthy investment strategy focusing on technology issues such as governance and policy, resource allocation, information technology protocols, and HJF’s technology organization. Jan has held several leadership roles in the healthcare industry and has spent close to two decades in the planning, development, delivery and monitoring of technical solutions that address the needs of Fortune 500 companies and not-for-profit organizations. Most recently, as the Chief Information Security Officer for HJF, Jan erected a robust Global Information Security Office to protect HJF’s information according to Federal cybersecurity regulations. The office ensures the stability and security of HJF’s information assets and infrastructure. Jan takes an active role in providing his professional perspective to industry challenges in community forums such as Gartner, a research and advisory company, (ISC)², an international nonprofit association for leading information security leaders and Information Systems Audit and Control Association (ISACA) CSX Working Group. He also serves on the Enterprise Mobility Advisory Board. Jan is a thought leader whose insight and knowledge are featured in industry media outlets and speaking engagements. Sync-Magazine highlighted Jan for his leadership in building strategic relationships that create a culture that fuels ownership, accountability, responsiveness and innovation. Read full transcript here: www.redzonetech.net/podcast/riz-jan How to get in touch with Riz Jan LinkedIn Key Resources: Sync Magazine Article – Rizwan Jan Is Making a Human Network Connection Enterprise Mobility Exchange - How to Manage Change in Mobile Transformation This episode is sponsored by the CIO Innovation Insider Council, dedicated to Business Digital Leaders who want to be a part of 20% of the planet and help their businesses win with innovation and transformation. Credits: * Outro music provided by Ben’s Sound Other Ways To Listen to the Podcast iTunes | Libsyn | Soundcloud | RSS | LinkedIn Leave a Review If you enjoyed this episode, then please consider leaving an iTunes review here Click here for instructions on how to leave an iTunes review if you're doing this for the first time. About Bill Murphy Bill Murphy is a world renowned IT Security Expert dedicated to your success as an IT business leader. Follow Bill on LinkedIn and Twitter.
![Black Hat Briefings, Japan 2005 [Audio] Presentations from the security conference](https://ivyfm.s3.amazonaws.com/i320/593904.jpg)
Black Hat Briefings, Japan 2005 [Audio] Presentations from the security conference
"In September 2004, much hype was made of a buffer overflow vulnerability that existed in the Microsoft engine responsible for processing JPEG files. While the resulting vulnerability itself was nothing new, the fact that a vulnerability could be caused by a non-executable file commonly traversing public and private networks was reason for concern. File format vulnerabilities are emerging as more and more frequent attack vector. These attacks take advantage of the fact that an exploit can be carried within non-executable files that were previously considered to be innocuous. As a result, firewalls and border routers rarely prevent the files from entering a network when included as email attachments or downloaded from the Internet. As with most vulnerabilities, discovering file format attacks tends to be more art than science. We will present various techniques that utilize file format fuzzing that range from pure brute force fuzzing to intelligent fuzzing that requires an understanding of the targeted file formats. We will present a methodology for approaching this type of research and address issues such as automating the process. Techniques will be discussed to address challenges such as attacking proprietary file formats, overcoming exception handling and reducing false positives. The presentation will include demonstrations of fuzzing tools designed for both the *nix and Windows platforms that will be released at the conference and the disclosure of vulnerabilities discovered during the course of our research. Michael Sutton is a Director for iDEFENSE/VeriSign, a security intelligence company located in Reston, VA. He heads iDEFENSE/VeriSign and the Vulnerability Aggregation Team (VAT). iDEFENSE Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDEFENSE Vulnerability Contributor Program (VCP). Prior to joining iDEFENSE/VeriSign, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst & Young in Bermuda. He is a frequent presenter at information security conferences. Michael obtained his Certified Information Systems Auditor (CISA) designation in 1998 and is a member of Information Systems Audit and Control Association (ISACA). He has completed a Master of Science in Information Systems Technology degree at George Washington University, has a Bachelor of Commerce degree from the University of Alberta and is a Chartered Accountant. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Adam Greene is a Security Engineer for iDEFENSE/VeriSign, a security intelligence company located in Reston, VA. His responsibilities at iDEFENSE/VeriSign include researching original vulnerabilities and developing exploit code as well as verifying and analyzing submissions to the iDEFENSE Vulnerability Contributor Program. His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX based system auditing and exploit development. In his time away from computers he has been known to enjoy tea and foosball with strange old women."
![Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference](https://ivyfm.s3.amazonaws.com/i320/593909.jpg)
Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference
As many people are becoming more accustom to phishing attacks, standard website and e-mail phishing schemes are becoming harder to accomplish. This presentation breaks all of the phishing norms to present an effective, alternative phishing method from start to finish in 75 minutes using Linux and Asterisk, the open-source PBX platform. With an Asterisk installation, we’ll setup an account and build a telephone phishing platform most banks would fear. We’ll also show targeting techniques specific to large corporate environments and demonstrate basic Asterisk deception techniques. We’ll also discuss ways we can prepare for and potentially prevent these types of attacks. Jay Schulman is a Senior Manager at a Big 4 Advisory Firm focusing on Information Security and Privacy. Mr. Schulman has ten years of information security experience including positions in senior information security management and leadership. He is a former Business Information Security Officer for a top-five global financial services company. Mr. Schulman managed logical and physical security for a nationwide financial institution’s government payment processing platforms. This environment has been designated National Critical Infrastructure (NCI) by the United States Department of Homeland Security and handled approximately one trillion dollars per fiscal year on behalf of the US government. Mr. Schulman is currently a Certified Information Systems Security Professional (CISSP) and a member of the International Information Systems Security Controls Consortium (ISC2), Information Systems Audit & Control Association (ISACA) and the Information Systems Security Association (ISSA). He has spoken publicly on the issues of information security, risk management, and technology. Mr. Schulman holds a Bachelor of Sciences degree from the University of Illinois-Urbana Champaign."
![Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference](https://ivyfm.s3.amazonaws.com/i320/593907.jpg)
Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference
In September 2004, much hype was made of a buffer overflow vulnerability that existed in the Microsoft engine responsible for processing JPEG files. While the resulting vulnerability itself was nothing new, the fact that a vulnerability could be caused by a non-executable file commonly traversing public and private networks was reason for concern. File format vulnerabilities are emerging as more and more frequent attack vector. These attacks take advantage of the fact that an exploit can be carried within non-executable files that were previously considered to be innocuous. As a result, firewalls and border routers rarely prevent the files from entering a network when included as email attachments or downloaded from the Internet. As with most vulnerabilities, discovering file format attacks tends to be more art than science. We will present various techniques that utilize file format fuzzing that range from pure brute force fuzzing to intelligent fuzzing that requires an understanding of the targeted file formats. We will present a methodology for approaching this type of research and address issues such as automating the process. Techniques will be discussed to address challenges such as attacking proprietary file formats, overcoming exception handling and reducing false positives. The presentation will include demonstrations of fuzzing tools designed for both the *nix and Windows platforms that will be released at the conference and the disclosure of vulnerabilities discovered during the course of our research. Michael Sutton is a Director for iDEFENSE, a security intelligence company located in Reston, VA. He heads iDEFENSE Labs and the Vulnerability Aggregation Team (VAT). iDEFENSE Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDEFENSE Vulnerability Contributor Program (VCP). Prior to joining iDEFENSE, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst and Young in Bermuda. He is a frequent presenter at information security conferences. Michael obtained his Certified Information Systems Auditor (CISA) designation in 1998 and is a member of Information Systems Audit and Control Association (ISACA). He has completed a Master of Science in Information Systems Technology degree at George Washington University, has a Bachelor of Commerce degree from the University of Alberta and is a Chartered Accountant. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Adam Greene is a Security Engineer for iDEFENSE, a security intelligence company located in Reston, VA. His responsibilities at iDEFENSE include researching original vulnerabilities and developing exploit code as well as verifying and analyzing submissions to the iDEFENSE Vulnerability Contributor Program. His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX based system auditing and exploit development. In his time away from computers he has been known to enjoy tea and foosball with strange old women.
Black Hat Briefings, Las Vegas 2005 [Video] Presentations from the security conference
As a result of the Real-ID Act, all American citizens will have an electronically readable ID card that is linked to the federal database by May 2008. This means that in three years we will have a National ID card system that is being unilaterally controlled by one organization (DHS) whether we want it or not. Organizations such as the ACLU are already exploring opportunities for litigation. Privacy advocates cite Nazi Germany and slippery slopes, while the government waves the anti-terrorism flag back in their faces. Compromises and alternate solutions abound. Join us for a lively debate/open forum as an attempt to find a useable solution to this sticky problem. We will review solutions from the AMANA as well as ask why passports are not considered to be a privacy problem in the same ways. Would a National ID card make us safer? What to do about 15 million illegal immigrants? If college students can fake an ID, why can't a terrorist? What civil rights are abrogated by requiring everyone to possess an ID? What problem are we trying to solve anyway and will federal preemption address them? David Mortman, Chief Information Security Officer for Siebel Systems, Inc., and his team are responsible for Siebel Systems' worldwide IT security infrastructure, both internal and external. He also works closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist at InfoSecurity 2003 and Blackhat 2004. He holds a BS in Chemistry from the University of Chicago. Dennis Bailey is the Chief Operating Officer for Comter Systems, a top-secret, 8(a) information technology and management consulting firm based out of Fairfax, Virginia. He is also the author of "The Open Society Paradox: Why the Twenty-First Century Calls for More Openness Not Less", a recently published book which makes the case for secure identification and information sharing. He is active in the fields of identification, information sharing and security. He was a participant in the Sub-group on Identification for the Markle Foundation Task Force on Terrorism. He participates on the ITAA's Identity Management Task Group and is a member of the Coalition for a Secure Driver's License. His education includes a master's degree in political science from American University, where he worked at the Center for Congressional and Presidential Studies. Dennis also has a master's degree in psychology from the University of Dayton, where he worked at the Social Science Research Center. Jim Harper: As director of information policy studies, Jim Harper speaks, writes, and advocates on issues at the intersection of business, technology, and public policy. His work focuses on the difficult problems of adapting law and policy to the unique problems of the information age. Jim is also the editor of Privacilla.org, a Web-based think-tank devoted exclusively to privacy. He is a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. In addition to giving dozens of speeches and participating in panel discussions and debates nationwide, Jim's work has been quoted and cited by USA Today, the Associated Press, and Reuters, to name a few. He has appeared on numerous radio programs and on television, commenting for Fox News, CBS News, and MSNBC. Jim is a native of California and a member of the California bar. He earned his bachelor's degree in political science at the University of California, Santa Barbara, where he focused on American politics and the federal courts. At Hastings College of the Law, Jim served as editor-in-chief of the Hastings Constitutional Law Quarterly. In addition to numerous writings and ghost-writings in the trades and popular press, his scholarly articles have appeared in the Administrative Law Review, the Minnesota Law Review, and the Hastings Constitutional Law Quarterly. Rhonda E. MacLean is a charter member of the Global Council of Chief Security Officers. The Council is a think tank comprised of a group of influential corporate, government and academic security experts dedicated to encouraging dialogue and action to meet the new challenges of global online security. MacLean provided leadership as the Global Chief Information Security Officer for Bank of America from 1996 until 2005. At Bank of America she was responsible for company-wide information security policies and procedures, support for the lines of business in their management of information risk, implementation of security technology, cyber forensics and investigations, and awareness for the company's leadership, associate base and outside suppliers. In that role she provided leadership for a number of company-wide initiatives designed to protect sensitive customer and company information. In addition, under her leadership the bank's corporate information security organization has been a leader in innovation, filing for numerous U.S. Patents in the areas of infrastructure risk management and information security. After many years of service on some of the industry's most important associations, advisory boards and think tanks, she was appointed in 2002 by the Secretary of the Treasury to serve as the financial services sector coordinator for critical infrastructure protection and homeland security. In that role, she established a Limited Liability Corporation which brought together 26 financial service trade associations, utilities and professional institutes to work in partnership with Treasury to create several important industry initiatives designed to ensure industry cooperation and resiliency. She continues to serve as Chairman Emeritus for the Council. In September 2003, The Executive Women's Forum named MacLean one of five "Women of Vision", one of the top business leaders shaping the information security industry. MacLean was named one of the 50 most powerful people in the network industry in NetworkWorld's 2003 and 2004 issues. In recognition of her continued leadership in the security field, she was awarded CSO's Compass Award in 2005. In April 2005, The Friends of a Child's Place, a Charlotte-based advocacy for the homeless, named her one of the "First Ladies of Charlotte" in recognition of her pioneering role in information security and her support for the Charlotte community. MacLean has spent more than 25 years in the information technology industry. Immediately before joining Bank of America, MacLean spent 14 years at The Boeing Company where she was the Senior Information Security Manager for Boeing's proprietary and government programs. She is certified by the Information Systems Audit and Control Association as a Certified Information Security Manager.>
Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference
In September 2004, much hype was made of a buffer overflow vulnerability that existed in the Microsoft engine responsible for processing JPEG files. While the resulting vulnerability itself was nothing new, the fact that a vulnerability could be caused by a non-executable file commonly traversing public and private networks was reason for concern. File format vulnerabilities are emerging as more and more frequent attack vector. These attacks take advantage of the fact that an exploit can be carried within non-executable files that were previously considered to be innocuous. As a result, firewalls and border routers rarely prevent the files from entering a network when included as email attachments or downloaded from the Internet. As with most vulnerabilities, discovering file format attacks tends to be more art than science. We will present various techniques that utilize file format fuzzing that range from pure brute force fuzzing to intelligent fuzzing that requires an understanding of the targeted file formats. We will present a methodology for approaching this type of research and address issues such as automating the process. Techniques will be discussed to address challenges such as attacking proprietary file formats, overcoming exception handling and reducing false positives. The presentation will include demonstrations of fuzzing tools designed for both the *nix and Windows platforms that will be released at the conference and the disclosure of vulnerabilities discovered during the course of our research. Michael Sutton is a Director for iDEFENSE, a security intelligence company located in Reston, VA. He heads iDEFENSE Labs and the Vulnerability Aggregation Team (VAT). iDEFENSE Labs is the research and development arm of the company, which is responsible for discovering original security vulnerabilities in hardware and software implementations, while VAT focuses on researching publicly known vulnerabilities. His other responsibilities include developing tools and methodologies to further vulnerability research, and managing the iDEFENSE Vulnerability Contributor Program (VCP). Prior to joining iDEFENSE, Michael established the Information Systems Assurance and Advisory Services (ISAAS) practice for Ernst and Young in Bermuda. He is a frequent presenter at information security conferences. Michael obtained his Certified Information Systems Auditor (CISA) designation in 1998 and is a member of Information Systems Audit and Control Association (ISACA). He has completed a Master of Science in Information Systems Technology degree at George Washington University, has a Bachelor of Commerce degree from the University of Alberta and is a Chartered Accountant. Outside of the office, he is a Sergeant with the Fairfax Volunteer Fire Department. Adam Greene is a Security Engineer for iDEFENSE, a security intelligence company located in Reston, VA. His responsibilities at iDEFENSE include researching original vulnerabilities and developing exploit code as well as verifying and analyzing submissions to the iDEFENSE Vulnerability Contributor Program. His interests in computer security lie mainly in reliable exploitation methods, fuzzing, and UNIX based system auditing and exploit development. In his time away from computers he has been known to enjoy tea and foosball with strange old women.
Black Hat Briefings, Las Vegas 2005 [Audio] Presentations from the security conference
As a result of the Real-ID Act, all American citizens will have an electronically readable ID card that is linked to the federal database by May 2008. This means that in three years we will have a National ID card system that is being unilaterally controlled by one organization (DHS) whether we want it or not. Organizations such as the ACLU are already exploring opportunities for litigation. Privacy advocates cite Nazi Germany and slippery slopes, while the government waves the anti-terrorism flag back in their faces. Compromises and alternate solutions abound. Join us for a lively debate/open forum as an attempt to find a useable solution to this sticky problem. We will review solutions from the AMANA as well as ask why passports are not considered to be a privacy problem in the same ways. Would a National ID card make us safer? What to do about 15 million illegal immigrants? If college students can fake an ID, why can't a terrorist? What civil rights are abrogated by requiring everyone to possess an ID? What problem are we trying to solve anyway and will federal preemption address them? David Mortman, Chief Information Security Officer for Siebel Systems, Inc., and his team are responsible for Siebel Systems' worldwide IT security infrastructure, both internal and external. He also works closely with Siebel's product groups and the company's physical security team and is leading up Siebel's product security and privacy efforts. Previously, Mr. Mortman was Manager of IT Security at Network Associates, where, in addition to managing data security, he deployed and tested all of NAI's security products before they were released to customers. Before that, Mortman was a Security Engineer for Swiss Bank. A CISSP, member of USENIX/SAGE and ISSA, and an invited speaker at RSA 2002 and 2005 security conferences, Mr. Mortman has also been a panelist at InfoSecurity 2003 and Blackhat 2004. He holds a BS in Chemistry from the University of Chicago. Dennis Bailey is the Chief Operating Officer for Comter Systems, a top-secret, 8(a) information technology and management consulting firm based out of Fairfax, Virginia. He is also the author of "The Open Society Paradox: Why the Twenty-First Century Calls for More Openness Not Less", a recently published book which makes the case for secure identification and information sharing. He is active in the fields of identification, information sharing and security. He was a participant in the Sub-group on Identification for the Markle Foundation Task Force on Terrorism. He participates on the ITAA's Identity Management Task Group and is a member of the Coalition for a Secure Driver's License. His education includes a master's degree in political science from American University, where he worked at the Center for Congressional and Presidential Studies. Dennis also has a master's degree in psychology from the University of Dayton, where he worked at the Social Science Research Center. Jim Harper: As director of information policy studies, Jim Harper speaks, writes, and advocates on issues at the intersection of business, technology, and public policy. His work focuses on the difficult problems of adapting law and policy to the unique problems of the information age. Jim is also the editor of Privacilla.org, a Web-based think-tank devoted exclusively to privacy. He is a member of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee. In addition to giving dozens of speeches and participating in panel discussions and debates nationwide, Jim's work has been quoted and cited by USA Today, the Associated Press, and Reuters, to name a few. He has appeared on numerous radio programs and on television, commenting for Fox News, CBS News, and MSNBC. Jim is a native of California and a member of the California bar. He earned his bachelor's degree in political science at the University of California, Santa Barbara, where he focused on American politics and the federal courts. At Hastings College of the Law, Jim served as editor-in-chief of the Hastings Constitutional Law Quarterly. In addition to numerous writings and ghost-writings in the trades and popular press, his scholarly articles have appeared in the Administrative Law Review, the Minnesota Law Review, and the Hastings Constitutional Law Quarterly. Rhonda E. MacLean is a charter member of the Global Council of Chief Security Officers. The Council is a think tank comprised of a group of influential corporate, government and academic security experts dedicated to encouraging dialogue and action to meet the new challenges of global online security. MacLean provided leadership as the Global Chief Information Security Officer for Bank of America from 1996 until 2005. At Bank of America she was responsible for company-wide information security policies and procedures, support for the lines of business in their management of information risk, implementation of security technology, cyber forensics and investigations, and awareness for the company's leadership, associate base and outside suppliers. In that role she provided leadership for a number of company-wide initiatives designed to protect sensitive customer and company information. In addition, under her leadership the bank's corporate information security organization has been a leader in innovation, filing for numerous U.S. Patents in the areas of infrastructure risk management and information security. After many years of service on some of the industry's most important associations, advisory boards and think tanks, she was appointed in 2002 by the Secretary of the Treasury to serve as the financial services sector coordinator for critical infrastructure protection and homeland security. In that role, she established a Limited Liability Corporation which brought together 26 financial service trade associations, utilities and professional institutes to work in partnership with Treasury to create several important industry initiatives designed to ensure industry cooperation and resiliency. She continues to serve as Chairman Emeritus for the Council. In September 2003, The Executive Women's Forum named MacLean one of five "Women of Vision", one of the top business leaders shaping the information security industry. MacLean was named one of the 50 most powerful people in the network industry in NetworkWorld's 2003 and 2004 issues. In recognition of her continued leadership in the security field, she was awarded CSO's Compass Award in 2005. In April 2005, The Friends of a Child's Place, a Charlotte-based advocacy for the homeless, named her one of the "First Ladies of Charlotte" in recognition of her pioneering role in information security and her support for the Charlotte community. MacLean has spent more than 25 years in the information technology industry. Immediately before joining Bank of America, MacLean spent 14 years at The Boeing Company where she was the Senior Information Security Manager for Boeing's proprietary and government programs. She is certified by the Information Systems Audit and Control Association as a Certified Information Security Manager.>
![Black Hat Briefings, Las Vegas 2006 [Audio] Presentations from the security conference](https://ivyfm.s3.amazonaws.com/i320/593908.jpg)
Black Hat Briefings, Las Vegas 2006 [Audio] Presentations from the security conference
"As many people are becoming more accustom to phishing attacks, standard website and e-mail phishing schemes are becoming harder to accomplish. This presentation breaks all of the phishing norms to present an effective, alternative phishing method from start to finish in 75 minutes using Linux and Asterisk, the open-source PBX platform. With an Asterisk installation, we’ll setup an account and build a telephone phishing platform most banks would fear. We’ll also show targeting techniques specific to large corporate environments and demonstrate basic Asterisk deception techniques. We’ll also discuss ways we can prepare for and potentially prevent these types of attacks. Jay Schulman is a Senior Manager at a Big 4 Advisory Firm focusing on Information Security and Privacy. Mr. Schulman has ten years of information security experience including positions in senior information security management and leadership. He is a former Business Information Security Officer for a top-five global financial services company. Mr. Schulman managed logical and physical security for a nationwide financial institution’s government payment processing platforms. This environment has been designated National Critical Infrastructure (NCI) by the United States Department of Homeland Security and handled approximately one trillion dollars per fiscal year on behalf of the US government. Mr. Schulman is currently a Certified Information Systems Security Professional (CISSP) and a member of the International Information Systems Security Controls Consortium (ISC2), Information Systems Audit & Control Association (ISACA) and the Information Systems Security Association (ISSA). He has spoken publicly on the issues of information security, risk management, and technology. Mr. Schulman holds a Bachelor of Sciences degree from the University of Illinois-Urbana Champaign."
© 2020-2025 Ivy Podcast Discovery LLC
