I S S U E N U M B E R 2 0

An (ISC)2 Digital Publication

www.isc2.org

KEEPING UP WITH NEXT GEN RISK MANAGEMENT

Computer Science

Educational Technology

Information Security

Information Systems

Information Technology

The password to your future is NSU.

NSU-CIS-6622 Info Security Professional LO2

Nova Southeastern University admits students of any race, color, sexual orientation, and national or ethnic origin.

Nova Southeastern University is accredited by the Com

mission on Colleges of the Southern Association of Colleges and Schools (1866 Southern Lane, Decatur, Georgia 30033-4097,

Telephone number: 404-679-4501) to aw

ard associate’s, bachelor’s, master’s, educational specialist, and doctoral degrees.

The Graduate School of Computer and Information Sciences at Nova Southeastern University offers forward-thinking educational programs to prepare students for leadership roles in information technology. Designated as a National Center of Academic Excellence in Information Assurance Education by the U.S. National Security Agency, we offer rigorous educational programs with flexible formats for working professionals, state-of-the-art facilities, and a distinguished faculty. In this diverse and dynamic field, our graduates are achieving success in the military, government departments, and universities nationwide, as well as at top companies.

HOW WE STAND OUT

• Designated a National Center of Academic Excellence in Information Assurance Education by the U.S. government since 2005

• Pioneer of online education since 1984

• Earn your graduate certificate, master’s degree, or Ph.D degree in information security

• IEEE members receive tuition discounts

Apply today and advance your career at: www.scis.nova.edu/isc

CO

VE

R P

HO

TO B

Y C

OLI

N A

ND

ER

SO

N; A

BO

VE

ILLU

STR

ATIO

N B

Y M

ICH

AE

L A

US

TIN

[ features ] 10 Keeping up with Next-Gen Risk

The risk-management model is changing rapidly, as technology, data, and security regulations grow. BY PETER FRETTY

14 Teaching Moment: From Fairy Tales to Info SecurityStories can be used to teach ethics or communicating infosec information. BY KERRY ANDERSON

18 Filling the (Soft) Skills GapA balance of technical and “soft” skills boosts your career options. BY COLLEEN FRYE

ISSUE NUMBER 20 INFOSECURITY PROFESSIONAL 1

issue 20

[ also inside ]

3 Cyber-Secure Culture in 2013Executive Letter From the desk of (ISC)2’s Global Communications Manager, Sarah Bohne.

4 Moderator’s Corner Views and Reviews Highlights from (ISC)2’s event moderator, Brandon Dunlap.

6 FYIMember News Read up on the latest happenings with (ISC)2 and its worldwide members.

20 Mastering Security and InnovationQ&A Patrick C. Miller, founder, president and CEO of Energy Sector Security Consortium, Inc.

22 Voices of ThanksChapter Passport Chapter Leaders Convene in Philadelphia, Penn., U.S.

24 Be Aware of Security Awareness Global Insight Are security processes practiced routinely at your organization? BY PEDRO D. NAVARRO, CISSP.

2012 VOLUME 4

InfoSecurity Professional is published by IDG Enterprise Custom Solutions Group, 492 Old Connecticut Path, Framingham, MA 01701 (phone: 508 935-4796). The information contained in this publication represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC)2 on the issues discussed as of the date of publication. No part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. (ISC)2, the (ISC)2 digital logo and all other (ISC)2 product, service or certification names are registered marks or trademarks of the International Information Systems Security Certification Consortium, Incorporated, in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. For subscription information or to change your address, please visit www.isc2.org. To order additional copies or obtain permission to reprint materials, please email infosecproeditor@isc2.org. To request advertising information, please email tgaron@isc2.org. © 2012 (ISC)2 Incorporated. All rights reserved.

18

While BYOD can often bring on fear from the unknown, it can also provide organizations with enormous opportunity, such as cost-saving benefits. CISSP®-ISSMP®s have the proven technical knowledge and experience to capitalize on these opportunities and effectively lead their business through the adoption of BYOD while continuously mitigating risk. ISSMPs are vital to an organization¹s success–establishing, presenting and governing security policies, leading incident handling and breach mitigation teams, and more. On April 1, 2013, the ISSMP domains will change to reflect the most current work performed by and knowledge required for an ISSMP.

Leaders see opportunity where others see obstacles.

Learn about the ISSMP changes

A Cyber-Secure Culture in 2013SARAH BOHNE, GLOBAL COMMUNICATIONS MANAGER, SAYS (ISC)2 ANTICIPATES SIGNIFICANT GROWTH ON MANY FRONTS IN SUPPORT OF CYBER SECURITY PROFESSIONALS.

AS THE GLOBAL SHORTAGE for cyber security pro-fessionals continues unabated, (ISC)2 is building pro-grams to enhance the workforce of today and foster the workforce of tomorrow.

By inspiring a culture of cyber security responsibil-ity within both professional and local communities, a workforce is emerging that will be able to adapt and respond to evolving threats and challenges. Through programs like (ISC)² Chapters, the (ISC)² Foundation Scholarship and Safe and Secure Online programs, the networking, mentoring, professional development, and public education opportunities that are critical to ensuring a safe and secure cyber world are available to more prospective professionals than ever before.

The Chapter program, which began just 14 months ago, now consists of more than 70 local chapters around the world. More importantly, we anticipate considerable Chapter growth (hopefully 50 new chap-ters) in 2013. The Chapters are designed to meet the professional development, community, and network-ing needs of our membership at a local level.

The Chapters are also the launch pad for our efforts to help fill the professional pipeline. In September, we announced a NextGen program aimed at attracting new people to the industry and providing opportuni-ties for education, networking and mentorship, which dovetails with the mission of many (ISC)² Chapters. Currently, nine of them have designated a NextGen Liaison who will program events and sessions aimed at newcomers of any age. Although the content will be driven by individual chapters, (ISC)² will facilitate the programs and provide support materials. The program will be expanded to all interested chapters in early 2013, and we encourage the participation of experienced professionals who are interested in mentoring.

Scholarships are another way we’re helping fill the industry pipeline: the (ISC)² Foundation granted US$120,000 in undergraduate and faculty scholarships in 2012 and will increase that to US$145,000 in 2013.

Cyber security awareness is a large component of

our social responsibility efforts in the form of the (ISC)² Foundation Safe and Secure Online program. At the conclusion of National Cyber Security Awareness Month in the U.S. and Canada and Get Safe Online Week in the U.K. in October, (ISC)² member volun-teers had reached 85,000 students worldwide with a message of responsible digital citizenship (read more in the Giving Corner on pg 9). Members receive spe-cial training to deliver an interactive presentation that teaches children ages 7-14 how to protect themselves online while introducing them to a potential career in cyber security.

The (ISC)² Foundation recently launched a Safe and Secure Online presentation tailored for parents and teachers in an effort to equip caregivers with the knowl-edge to reinforce responsible online behavior at home and in the classroom. Volunteers earn continuing pro-fessional education credits for the training video and presenting in the classroom or at other group functions. The program is currently active in four countries (Can-ada, Hong Kong, U.S., and U.K.), and we hope to expand our reach into more countries next year to educate thou-sands more children, parents, and teachers.

Other 2013 events you can look forward to include an expanded 3rd annual Security Congress. Also watch for the release of the bi-annual (ISC)² Global Information Security Workforce Study (GISWS). The GISWS is the largest study of its kind and provides detailed insight into important career trends and opportunities within the information security profes-sion. Look for the findings on the Foundation website

— www.isc2cares.org, at the end of February. Also look for an expanded 3rd annual (ISC)² Security Congress and a new mission statement that describes how (ISC)² and its members are working every day to inspire a safe and secure cyber world.

Best regards,Sarah Bohne(ISC)2 Global Communications Manager

ISSUE NUMBER 20 INFOSECURITY PROFESSIONAL 3

executive letterFROM THE DESK OF THE (ISC)2 GLOBAL COMMUNICATIONS MANAGER

4 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

Management Team

Elise YacobellisExecutive Publisher

727-683-0782 n eyacobellis@isc2.org

Timothy GaronPublisher

508-529-6103 n tgaron@isc2.org

Marc G. ThompsonAssociate Publisher

703-637-4408 n mthompson@isc2.org

Amanda D’AlessandroCorporate Communications Specialist

727-785-0189 x242adalessandro@isc2.org

Sarah BohneGlobal Communications Manager

616-719-9113 n sbohne@isc2.org

Sales Team

Jennifer HuntEvents Sales Manager

781-685-4667 n jhunt@isc2.org

Lisa O'ConnellRegional Sales Manager

781-460-2105 n loconnell@isc2.org

IDG Media Team

Charles LeeVice President, Custom Solutions Group

Alison LutesProject Manager

Joyce ChutchianEditor

508-628-4823

jchutchian@idgenterprise.com

Kim HanArt Director

Lisa StevensonProduction Manager

ADVERTISER INDE X

ASIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . 5(ISC)2 . . . . . . . . . p . 2; p . 8; p . 21; Back CoverMicrosoft . . . . . . . . . . . . . . . . . . . . . . . . . p . 12NOVA Southeast . . . . . Inside Front CoverRSA Europe . . . . . . . . . . . . . . . . . . . . . . . p . 23

For information about advertising in this publication, please contact Tim Garon at

tgaron@isc2 .org .

WITH 2012 RECEDING in the rear view mirror, I am struck with a sense of wonder at what we have managed to accomplish this year. You may recall, in my last column I intro-duced you to a new, online educational offer-ing from (ISC)2: The Security Briefings Series. These monthly, one-hour webinars allow us to focus on a single theme over several months, discussing the various facets of what are often very thorny problems. Attendance and feed-back from these first sessions have been fan-tastic. Your constructive criticism has helped us refine the programming, and I am eager to continue building on this success throughout 2013. Keep the comments coming!

We reached another significant milestone this year with the second annual Security Congress. Standing on the foundation of last year’s event in Orlando, Fla., U.S.A., I had the pleasure to meet and chat with many of you in Philadelphia, Penn., U.S.A. this year, where we, once again, shared the stage with

our partner, ASIS. As is often the case with such events, the “hallway track” offered up information that was just as fascinating as the official program. What’s more, the opportunity to make new professional connections was at an all-time high, thanks to a dramatic increase in attendance. Topics such as bring your own device (BYOD) and cloud dominated the agenda once again, and some interesting new-comers to the field brought out some amazing insights. Namely, I had the pleasure of introducing the Orlando Doctrine, which I’ve been working on with my long-time friend and colleague Spencer Wilcox.

Finally, a notable infosec celebrity — Javvad Malik — appeared at this year’s Congress. You may remember his ‘Benefits of Being a CISSP’ video from last year, which was a big hit within our community of practitioners. You can catch his (soon-to-be) award-winning documentary.

As we head into 2013, I’m looking forward to catching up with many of you at our Security Leadership Series live events, on the web for our roundtables and e-symposiums, and, of course, at the 2013 Security Congress in Chicago, Ill., U.S.A. As always, let’s keep it interactive.

I look forward to continuing the conversation.

Brandon DunlapManaging Director of Research, Brightflybsdunlap@brightfly.comwww.brightfly.com

moderator’s cornerVIEWS AND REVIEWS FROM (ISC)2'S EVENT MODERATOR

2012: A Year of Accomplishments

STRATEGIC. SMART. SECURE.Today’s smart, strategic solutions mesh together all aspects of logical and physical security. The convergence of technologies and systems needed to make us more secure demand that industry professionals operate at the very top of their game. ASIS 2013, the world’s most influential security event, will deliver the forward-thinking solutions and up-to-date intelligence security professionals need to face challenges and mitigate risk.

Ready to cut through the clutter and map out a more secure future? We’ll see you and your most pressing questions in Chicago.

September

24–27McCorMiCk PlaCe, ChiCago, il

ASIS INTERNATIONAL 59th AnnuAl SeMinar and exhibitS

For information visit www.asisonline.org or call +1.703.519.6200.

COLOCATED EVENT

6 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

Career Guidance for Aspiring Infosec Pros

D O YO U K N O W S O M E O N E who is interested in a career in information security but doesn’t know where to start? The new (ISC)2 NextGen program was created just for them. The group provides a platform for aspiring and emerging security professionals to join the information security workforce. It is open to aspiring and active cyber security professionals age 35 and under, looking to bolster their careers and deepen connections with the professional community. The program also offers experienced professionals an opportunity to provide expertise and guidance through mentorship. Eight (ISC)2 chapters are participating in the pilot program, with a full rollout planned for early 2013. Chapters that are currently participating include:

n Colombo, Sri Lanka Chapter (Sri Lanka)n Manitoba/Saskatchewan Chapter (Canada)n National Capital Region Chapter (Washington, D.C., U.S.)n New Jersey Chapter (U.S.)n Omaha Lincoln Chapter (Nebraska, U.S.)n Sacramento Chapter (California, U.S.)n Sao Paulo Chapter (Brazil)n Tampa Bay Chapter (Florida, U.S.)

PH

OTO

BY

MU

LTI-

BIT

S/

THE

IM

AG

E B

AN

K

(ISC)2 MEMBER NEWSfyı

ISSUE NUMBER 20 INFOSECURITY PROFESSIONAL 7

New Award for 2013 GISLA ProgramWe are also pleased to announce the creation of a new GISLA to honor Lynn F. McNulty, CISSP, who passed away in June 2012, but whose innovation, influ-ence, and commitment to government information security will be felt for years to come. The (ISC)2 Lynn F. McNulty Tribute GISLA will recognize a member of the U.S. federal information security community who upholds McNulty’s legacy as a visionary and innova-tor through outstanding service and commitment. The first recipient will be hand-chosen by the (ISC)2 U.S. Govern-ment Advisory Board for Cyber Security (GABCS) and recognized at the 2013 GISLA ceremony.

CATEGORY: COMMUNITY AWARENESS

AWARD RECIPIENT: The U.S. Federal Aviation Administration (FAA) Awareness, Training and Evaluations Division Team, led by Nancy Hendricks, CISSP, information systems security specialist

PROJECT: The AIS-200 Team achieved quantifiable results in support of various administrative requirements, including a six-month campaign to ensure that at least 95 percent of the user population completed annual awareness training.

CATEGORY: FEDERAL CONTRACTOR

AWARD RECIPIENT: The U.S. Department of Defense’s Joint Capability Technology Demonstration (JCTD) Adaptive Red Team, led by David Rohret, CEH, Security+, CHFI, ECSA/LPT, CNDA, senior principal systems engineer, CSC

PROJECT: In response to a request to replicate how real-world hackers, cyber armies and cyber criminals would attack the DoD, the JCTD ART developed a process for applying goal-oriented scenarios through the adversary’s eyes, attacking and assessing from every approach to determine the most likely attack vector based on the greatest impact.

CATEGORY: PROCESS/POLICY

AWARD RECIPIENT: Janet Stevens, PMP, chief information officer, USDA Food Safety and Inspection Service (FSIS), Information Assurance Division (IAD)

PROJECT: Janet has dedicated herself to ensuring that every member of the FSIS community, from security officers to office staff, is aware of cyber security. Through an innovative use of social media and contributions to organizational publications, Janet provides her agency with in-depth explanations of cyber security issues and practices, and updates on the latest IAD news.

CATEGORY: TECHNOLOGY IMPROVEMENT

AWARD RECIPIENT: The U.S. Air Force’s Military Satellite Communications (MILSATCOM) Systems Directorate’s Host Based Security System (HBSS) Pilot Integration Team, led by Steven Martin, CISM, information assurance manager

PROJECT: By formulating, documenting and completing a proof of concept as a pathfinder model for future implementation, the team integrated the HBSS baseline on a Space Mission System in less than two months.

CATEGORY: WORKFORCE IMPROVEMENT

AWARD RECIPIENT: The U.S. Army Reserve’s Information Operations Command (AROIC) Cyber Warrior Training Development Team led by Col. John Diaz, CISSP, CRISC, professional engineer and commander

PROJECT: This 10-person team implemented a training strategy that systemati-cally trains and transforms AROIC soldiers into elite, combat-ready cyber warriors who are called upon to protect, monitor, analyze, detect and respond to unauthor-ized activity on the Army’s information systems and computer networks.

Congratulations to the 2012 (ISC)2 U.S. Government Information Security Leadership Award recipients(ISC)2 IS PROUD TO PRESENT the recipients of our ninth annual U.S. Government Information Security Leadership Awards program.

Study on the GOS T U DY I N G F O R T H E C I S S P ®

credential has never been more convenient. The first four domains (Access Control, Telecommuni-cations & Network Security, Infor-mation Security Governance & Risk Management, and Software Development Security) of the Guide to the CISSP CBK®, Third Edition are now available in iBook format. Now you have the flexibility to choose only the domains that you need while studying from the conve-nience of your iPad, iPhone or iPod.

8 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

Graduate with More than Academic Credentials

G R A D UAT E S O F T H E WA R W I C K M A N U FA C T U R I N G G R O U P ( W M G ) department at the University of Warwick’s Cyber Security and Management program can now attend a three-day (ISC)2 CISSP Compact course and become Associate members of (ISC)2. This opportunity is the result of WMG’s Academic Affiliate Agreement with (ISC)2 to support the entry of its MSc in cyber security and management graduates into the workforce. Upon graduation, students are armed with both academic credentials and Associate of (ISC)2 status, along with the opportunity to train for the CISSP credential. Through WMG, the University of Warwick is the second university in the U.K. to support its MSc program graduates with an (ISC)2 credential program, following Royal Holloway College at the University of London.

Submit TodaySSSSSSSSSSSSSS bbbbbbbb TT ddd

CALL for SPEAKERS

SECURITYCONGRESSSeptember 24-27

Colocated with

• Chicago, IL • McCormick Place

(ISC)² Security Congress Categories: • Compliance, Regulation & Governance• Threats - Inside and Out• Cloud Security• Swiss Army Knife -General topics of interest in Information Security

• Application Security• Mobile Security/Social Networking• Software Assurance• Malware• Government Security

ISSUE NUMBER 20 INFOSECURITY PROFESSIONAL 9

Giving CornerT H E PA S T Y E A R H A S B E E N A P R O D U C T I V E Y E A R , with numerous successful program launches that touch the lives of so many people worldwide.

With every experience, whether it’s determining scholarship recipients, brainstorming for new Safe and Secure Online programs, or expanding our volunteer opportunities, we find that we are able to improve upon each existing program and strive for more outreach, service, and enrichment the next time around.

Our (ISC)2 Foundation Committee comprises board members and regional advisory board members worldwide. It was formed to improve the impact our programs have on members, on vulnerable publics, and on the industry as a whole. They are also tasked with helping the Foundation gather the human and financial resources needed to boost program impact, and to form useful strategic alliances.

SAFE AND SECURE ONLINE One such strategic alliance is with National Cyber Security Awareness Month in the U.S.A. and Canada, and with Get Safe Online Week in the U.K., both held annually in October. Teams of volunteers focused their efforts in this important month to reach almost 9,000 children and 1,200 parents.

WHAT’S AHEAD IN 2013 2013 Global Information Security Workforce Study: Alas, the (ISC)2 2013 GISWS is almost complete! Look for results of the survey in the Spring issue of InfoSecurity Professional magazine. The study has given us valuable insight into the specific skills sets within cyber security that make up most of the gap in the workforce. We will also take a deep dive into cloud security, secure software development, and issues surrounding BYOD.

SCHOLARSHIPS The (ISC)2 Foundation Scholarship program is growing faster than ever. Thanks to the generous donations of our members and from the corporations who match donations, this year we awarded four scholarships to women in Tan-zania, Taiwan, Singapore, and the U.S. We also awarded exam vouchers to 11 faculty members from around the world to increase the knowledge level of those charged with educating the future information security workforce.

Remember, many of our scholarship recipients would not have the opportunity to remain in school without the help of members’ donations, and corporations who have charitable gift-matching programs. Be sure to be on the lookout

Don’t forget to take the quiz and earn CPEs:

http://bit.ly/ShTroh

For a list of events (ISC)2 is either hosting or sponsoring, visit www.isc2.org

for our annual appeal email. You could make a big (secure) difference in many lives — and many ways — by donating to support scholarships or the Safe and Secure Online program in 2013.

For more information or to donate, visit https://www.isc2cares.org.

Happy New Year! Julie PeelerDirector, (ISC)2 Foundation

10 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

KEEPING UP WITH NEXT-GEN RISKMANAGEMENTby PETER FRETTY

The model of risk management is quickly changing as technology, data, and security regulations increase.

ISSUE NUMBER 20 INFOSECURITY PROFESSIONAL 11

Risk management is nothing new for CISOs. In fact, the formula for calculation (risk = likelihood x impact) is time-tested, univer-sally accepted and relatively simple. However, in today’s data-laden, tech-driven world, the landscape is altering with significantly more compliance regulations as well as an increased number of threats.

While fundamentals have not changed, what has changed is that there are more opportunities to exercise risk transference, which means there are more opportuni-ties to push your risk burden onto someone else, explains Ben Tomhave, principal consultant with Overland Park, Kan., U.S.-based governance, risk management and compliance solution provider LockPath.

“To do so effectively, however, means having a sharp legal team that can work to ensure that the contract has appropriate provisions to accomplish a risk transference objective, as well as strong brand management and customer rapport to help defuse any sort of negative flashback that may ensue from a security incident at one of your providers,” he says.

Understanding Evolving VulnerabilitiesWhile most understand how to calculate the impact variable of the equation, the changing model of technology, including the proliferation of mobile and cloud-based content delivery, means organizations are now in danger of losing an understanding of the assets they own, which is a key requirement to understanding the portion of the risk equation, explains John Linkous, chief security and compliance officer with Acton, Mass., U.S.-based eIQnetworks.

“Finding known vulnerabilities involves regular, consistent vulnerability scanning and will tell you what you’re able to know. And, the more in-depth the vulner-ability scanning exercise, the more vulnerabilities will be discovered. After discov-ering known vulnerabilities, signature-based tools such as host-based antivirus and network-based intrusion detection and prevention (IDS/IPS) technologies provide CISOs with a relative measurement of how often exploitation of these vulnerabilities occurs across the environment. This yields a number that approximates the likelihood variable of the risk equation,” he says.

Detection is much harder for vulnerabilities not easily encapsulated within signa-ture-based detection methods. “It’s possible to detect some unknown vulnerabilities when they’re actually being exploited by looking at anomalies within the environ-ment,” says Linkous. “Security professionals can use this information to forensically track down the root cause of these abnormalities and determine if an unknown vulner-ability is the culprit.”

Understanding what is actually at risk is the starting point that is often overlooked, explains Tomhave. “Today, much attention is paid to various threats such as APT, but it’s still relatively rare to find an organization that has a good understanding of what it is they are actually protecting,” he says. “Starting with a comprehensive assessment and understanding of one’s assets including people, processes and technology is immensely important. Without knowing what keeps the lights on, it is impossible to formulate a reasonable strategy for ensuring business continuity and survival.”

PHOTO BY COLIN ANDERSON

KEEPING UP WITH NEXT-GEN RISKMANAGEMENT

12 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

A CISO can only determine the organization’s security risk level by performing a true security risk assessment that focuses in on determining the actual security risks to the organization, explains Doug Landoll, author of The Secu-rity Risk Assessment Handbook. “This can be accomplished by improving the standard practice of dividing the controls among those responsible and sending out a questionnaire seeking those in charge of the controls to somehow give an honest representation of their strength.”

According to Landoll, an improved data gathering compo-nent of the security risk assessment would seek information about controls using the five key data-gathering methods: review documents, interview key staff, inspect controls, observe behavior and test controls.

“This assessment should provide the CISO with the infor-mation needed to create a near-term and long-term security strategy for the organization. Whether conscious or not, there is a strong human tendency to make the data support our beliefs or desires,” he says. “All too often, a security risk assessment is merely a paper exercise used to support the already-determined strategy. Of all the responsibilities of the CISO, setting the security strategy based on corporate objec-

tives and the realities of the current threat environment and existing controls is the most important.”

Managing through MobilityAs one of the fasting growing trends, mobility introduces interesting wrinkles into risk management. With mobile technology, the concept of the internal network changes drastically. “Even though mobile devices are end-points just like fixed workstations, they are connecting over new types of networks including 3G/4G cellular and Wi-Fi, with more proprietary operating systems and users with more direct control over the devices,” Linkous says. “There’s also a mix of personal and corporate data on the devices, resulting in a higher asset value for both the organization and the individual.”

As such, less direct control exists over data and systems. “We must instead put our trust in third parties, and are oftentimes at the mercy of lawyers—who may or may not understand security and risk management—to craft reasonable contractual terms,” Tomhave says. “There are now many heightened areas of concern, such as right to

Is your organization ready for the cloud? Find the answer with the free

Cloud Security Readiness Tool.

A short survey and custom report helps you understand and improve your current IT state, identify industry regulation and compliance requirements, and evaluate the benefits of cloud adoption.

www.micosoft.com/trustedcloud

ISSUE NUMBER 20 INFOSECURITY PROFESSIONAL 13

audit, the monitoring and detection capabilities available, access to reports, the ability to conduct an incident or foren-sics response, and the ability to ensure that your corporate policies are being enforced.”

Seeing Storm CloudsThe cloud presents unique challenges. Most notably for orga-nizations is the challenge of no longer owning the tangible assets that store, process or transmit their data. Cloud service providers loathe providing contractual requirements for security of cloud-based assets and data, because to do so impacts their ability to remain agile with technology provi-sioning and deployment.

“Issues such as geographic location of data, lack of stan-dard security data APIs for cloud environments, and different provisioning and management standards for cloud infra-structure between various providers means organizations that choose the cloud are going to effectively give up substan-tial amounts of control related to the likelihood variable of the risk equation,” says Linkous.

According to Rob Ayoub, security strategist at Sunny-vale, Calif., U.S.-based Fortinet, companies with data in public clouds have to shift their risk management to auditing the security of the provider and ensuring the availability of services. “Because most cloud providers don’t allow for orga-nizations to test their security, a lot of the risk management moves to contracts and legal protections,” he says.

Accounting for Big DataWith regard to big data, the news is better, explains Tomhave. “We oftentimes know how to conduct analysis on a given silo of data. Our challenge, then, lies in how to aggregate those silos in a meaningful way,” he says. “This is where tools like GRC come to bear, allowing us to have better insight into risk factors, and thus to chart a more comprehensive, better informed risk management strategy.”

Big data highlights the need to be diligent about under-standing the security requirements and controls over sensi-tive data, Landoll explains. “Incredibly large caches of this data makes for some rather eye-opening risk calculations,” he says. “The cost of inaccurate data and poor measure tech-niques has been exacerbated.”

Assessing Tools and Finding HelpThe number and types of tools is almost overwhelming. For instance, risk management packages from solutions providers like Archer and Agiliance, an array of vulner-ability management tools from providers like Foundstone and Rapid7, configuration management tools like Policy Auditor or NetIQ, patch management offerings such as BigFix or SCCM, and incident response/forensics manage-ment from firms like Encase.

However, before making any investments, Linkous recommends starting with an information risk register. “A

risk register doesn’t require a fancy, proprietary application, although many such products exist; it can be managed effec-tively using a spreadsheet or a consumer database tool, but needs to contain the basics for each asset including an iden-tification of individual threats, the likelihood and impact of each of those threats occurring, mitigation and contingency,” he says. “Of course, a risk register is useless without having a comprehensive understanding of all information assets and what they’re worth. It’s the lack of this critical informa-tion that allows exploited vulnerabilities to go so long before they’re detected in many environments.”

According to Tomhave, the best risk management solu-tions use automated testing tools to help fill the gaps left by audits, as well as to integrate into often-overlooked areas like the development environment and developer activities. “A risk management program should have insight into the monitoring and detection system to help provide oversight and governance to the operational teams as part of keeping the business aligned to the risk strategy,” he says.

It’s also important to remember that help doesn’t neces-sarily mean an expensive third-party vendor, explains Linkous. For instance, the federal government offers free resources to help organizations get a handle on information risk through the National Institute of Standards and Tech-nology (NIST). Specifically, risk management models (NIST SP800-37), security controls frameworks (NIST SP800-53), and technical recommendations (NIST FIPS publications) for implementing specific security controls such as authentica-tion and encryption are quite extensive.

Peter Fretty is a freelance business and technology journalist based in Michigan.

The best risk management solutions use automated testing tools to help fill the gaps left by audits, as well as to integrate into often-overlooked areas like the development environment and developer activities.

14 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

Telling stories can help users and IT professionals retain important

security information. by KERRY ANDERSON

From FAIRY TALES To INFO SECURITY

TEACHING MOMENT:

IMA

GE

© D

AV

ID J

. &

JA

NIC

E L

. F

RE

NT

CO

LL

EC

TIO

N/C

OR

BIS

ISSUE NUMBER 20 INFOSECURITY PROFESSIONAL 15

F OR THOUSANDS OF YEARS, people have used story telling as a way to relate information. Stories can be used to teach ethics, relate examples of behavior and their consequences, communicate information, and provide entertainment as well. Storytelling has been used as a method of teaching, both formally and informally, even before written language existed1.

4. Instructors can put their own personal twist on the basic presentation

5. Most of the well-known tales can be used to teach basic end-user security concepts or more advanced security mechanisms

6. A learning activity using another fairy tale to evaluate it for security themes could be used as a follow-up to the initial lecture portion of the session

So I’ve taken the liberty to analyze some popular fairy tales with the objective of developing various information security themes for use with basic end-users and advanced technology practitioners.

� 1. Cinderella �Mistreated stepdaughter is forced into a life of drudgery by evil stepmother and stepsisters. She wants to attend a royal ball to meet the handsome prince in search of a bride. However, she has no means to go until her fairy godmother transforms her ragged attire into a gorgeous gown with glass slippers. Unfortunately, the spell only lasts until midnight. She meets the prince and it is love at first sight. As midnight approaches, she flees and leaves behind one of her glass slip-pers. The prince hatches a plan to use the slipper to locate her by trying the slipper on all the maidens in his kingdom. It does not fit anyone but Cinderella because of her tiny feet. The shoe fits. The prince married her and they live happily ever after.

POTENTIAL SECURITY THEME(S)Biometrics: The prince used a unique physical attribute

to identify Cinderella. He searched his kingdom for a match, but only Cinderella’s foot fit the tiny slipper. Perhaps the fairy godmother used some unique attributes of Cinderella’s foot to create a slipper that would only conform to her foot, therefore

Storytelling offers many benefits, including using it as part of instruction in formal classes or training sessions. The rea-son: stories are fun; stories can effectively share knowledge in diverse groups; stories make it simple to communicate a mes-sage; and stories make the message more memorable.2

For several years, I ran a study group for various secu-rity certification examinations. Years later my participants would tell me that they remembered a 3-year-old concept because of a story I associated with it, such as my three year nephew attempting to send my manager an email using my VPN connection on my unlocked laptop (lesson: always lock your screen). The more vivid the image in the story, the better chance we have of remembering it.

FAIRY TALES AND INFORMATION SECURITYI have had the pleasure of hearing Ira Winkler, the well-known information security expert and speaker, present at vari-ous conferences. He is a master of memorable presentation themes, such as "Everything I Need To Know About Security, I Learned From Watching Star Trek" and the use of the “Wizard of Oz" story to discuss computer and network security. We can relate to these popular cultural images, and they make the concept easier to recall even years later. Six years later, I can still recall significant portions of Mr. Winkler’s presentations. It recently occurred to me that storytelling might serve as a vehicle for exploring information security themes and serve as instructional tools for conveying best practices.

Using fairy tales as a teaching tool affords the following advantages, in addition to the basic benefits of using storytell-ing as an instructional mechanism:1. Most individuals are familiar with the stories.2. The stories lend themselves to vivid imagery by the teller.3. It is an innovative approach to teaching security

knowledge.

� �

16 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

excluding all other potential maidens.Access Restrictions Based On Time: Cinderella is

only able to access resources based on a specific period, i.e., prior to midnight. After that time had passed, she lost control of the assets, such as the pumpkin coach.

Social Engineering/Penetration-Testing: Cinder-ella’s regal garb allowed her to gain access to the castle and the event (ball). Her appearance allowed her to blend with the invited guests. In some versions of the tale, such as the popular television version, the prince assumes Cinderella is a princess and she does nothing to discourage that perception. If Cinderella’s intention had been more nefarious, she could have used her ruse to steal assets, such as battle plans for a war or the royal jewels. She could even have injured attendees of the ball.

� 2. Hansel and Gretel �Hansel and Gretel were a brother and sister in search of food. They used a slice of bread to mark a path back to their home by leaving a trail of breadcrumbs. The siblings came upon a gingerbread house and partook of its tasty structure without permission. The owner, a kindly looking old woman, invited them in. She fed them. Hansel and Gretel did not initially real-ize that the old woman was fattening them up so she could eat them. The old women used the children’s finger to determine if the siblings were ready for slaughter. Hansel substituted a bone for a finger to fool the old women who had poor eyesight. The children eventually escaped after pushing the old woman into the oven. They took her jewels and food, then used the

trail of breadcrumbs to find their way back home, and lived happily ever.

POTENTIAL SECURITY THEME(S)Biometrics: Hansel and Gretel used breadcrumbs as a

navigation aid to retrace their steps. The term breadcrumb is commonly used for mechanisms that allow users to keep track of their locations within programs or websites.

Tracing: Paths that messages take on networks can be traced from the initial source through many servers they took to reach the final destination IP address. Generally, on the Internet, everybody can be traced, no matter what they do or where they go because IP addresses are left on every server and every computer communicated with. While cyber criminals may use different techniques, such as anonymizer/anonymous proxy to attempt to make activity on the Internet untraceable, many forensic experts may still be able to deter-mine their activities.

False Metrics: The old woman uses Hansel’s finger as a metric for how effective her efforts to fatten up the siblings is going. Hansel is able to substitute a bone for his finger and provides a false metric for the old woman’s monitoring efforts. Hackers often alter (or delete) logs and other monitoring files to disguise their real activities. The old woman is visu-ally impaired, making it easier for Hansel to pull off his ruse. Sometimes, despite having the proper metrics and/or logs, an information security practitioner can fail to identify abnor-mal activity because they are myopic (shortsighted) and focus on specific risk areas.

Social Engineering: The old woman lures the siblings into her home with food and kindness, but her intentions are malevolent. This is a social engineering technique called reciprocation3 in which the social engineer offers something of value, such as food, to solicit a behavior based on gratitude, such as staying and visiting with a person. When an individ-ual receives something of value from people, we tend to want to reciprocate, often by complying with their requests.

� 3. Three Little Pigs �Three little pigs went out into the world to seek their for-tunes. They needed appropriate housing. The first little pig used straw to construct his house because it was the easiest thing to do. The second little pig constructed his house out of sticks because it was easy to do, but a little bit stronger than straw. The third little pig considered security in his con-struction and used bricks to build his home. A big, bad wolf, who loved to eat little pigs, lived nearby. The wolf ordered the first little pig to let him in his straw house, but the little pig balked at the request. The wolf blew the house down. Then the wolf ordered the second little pig to let him in his house made of sticks, but the little pig balked at the request. The wolf blew the house down. The wolf then came to the third little pig and his brick house. The wolf ordered the third little pig to let him in, but the little pig balked at the request. The wolf huffed and puffed. However, try as he might, he could not blow down the brick house. The wolf decided to climb

Both the third little pig and an organization need to practice defense in depth. The third little pig developed the scalding kettle defense to protect against an indirect attack that bypassed his primary brick house protection layer.

ISSUE NUMBER 20 INFOSECURITY PROFESSIONAL 17

onto the roof and crawl down the chimney. However, the pig had seen him him climbing onto the roof, so he boiled a large kettle of water in the fireplace. The wolf landed in the kettle of water, and was boiled to death. The third little pig lived happily ever after.

POTENTIAL SECURITY THEME(S)Construct Strong Defenses: Defenses have to be

appropriate to protect again known threats. The first and sec-ond little pigs should have constructed defenses adequate to withstand the known attack type used by the big bad wolf, his huffing and puffing. They both were eaten because they used weak defenses, namely straw and sticks, because they were easy, available, and likely cheap.

Beware the Porous Perimeter: Even strong primary defenses may have some weakness necessary to sustain life or business activities. This is the porous perimeter. The third little pig needed to have a chimney to cook his food and heat his home. However, the chimney created a chink in the oth-erwise strong defense of his home. Luckily, the third little pig was aware of this risk and had a strategy to defend against attacks on this potential vulnerability.

Use Defense in Depth: You cannot depend on one defensive layer for complete protection from attackers. It is similar to depending totally on an enterprise firewall to defend against all cyber attacks without considering side-channel attacks against mobile devices or web applications. Both the third little pig and an organization need to practice defense in depth. The third little pig developed the scald-ing kettle defense to protect against an indirect attack that bypassed his primary brick house protection layer.

USING CULTURAL IMAGES AS AN INSTRUCTION TOOL FOR INFORMATION SECURITY CONCEPTSThere are numerous ways to relate cultural knowledge to information security concepts. Fairy tales offer some widely known stories and provide the strong visual imagery to increase the potential for long-term retention of learning.

As an adjunct college instructor and trainer for more than a decade, I frequently use examples based upon literature and entertainment to illustrate a point and make the concept more memorable. For example, when discussing the need to under-stand requirements before implementing security architec-ture, I often describe an episode of “classic” Star Trek called “The Cage.” In it a disfigured woman explains her appearance by saying, “They rebuilt me. Everything works. But, they had never seen a human. They had no guide for putting me back together.” It is possible to utilize this approach across visual, auditory, and kinesthetic learning styles4.

CLOSING THOUGHTSLike many practitioners, I am always seeking innovative ways to relate information security concepts to avoid the perception that the material is dry. In the past, I have inte-grated stories from my own experience, as well as those of other practitioners. I favor stories with strong visual impact or unusual elements. I also include news stories related to the topic under discussion because they can act to illustrate both weak and best practices in information security management. Other approaches, such as demonstration, games, and video work well, but stories seem to work best. Once I explored the potential security-related themes that can be drawn from a story, I was pleasantly surprised by the amount of ideas that a single story generated. Initially, I had only one security concept per story, but I wound up with several concepts for each fairy tale I explored. There is a reason that these stories have lived on through the generations and why they remain relevant today.

Kerry Anderson is a CISSP-ISSAP, ISSMP, CISA, CISM, CGEIT, CRISC, CFE, CSSLP, CCSK, MSIA and holds an MBA.

1 Egan, K. (1989). Teaching as storytelling. Chicago: University of Chicago Press2 Sole, D. and Wilson, D. “Storytelling in organisations” (2002)3 Influence: The Psychology of Persuasion by Robert B. Cialdini (December 2006)4 www.ldpride.net/learningstyles.MI.htm#Kinesthetic%20Learners:

Other approaches, such as demonstration, games, and video work well, but stories seem to work best. Once I explored the potential security-related themes that can be drawn from a story, I was pleasantly surprised by the amount of ideas that a single story generated.

ILLU

STR

ATIO

N B

Y M

ICH

AE

L A

US

TIN

A signpost for EQ career trajectory typically comes at the three- to seven-year mark, says David Garcia, an execu-tive recruiter in the Columbus, Ohio, area specializing in information security, information protection and IT audit. “That’s where people need to decide what they want to do when they grow up. If you want to remain in a purely techni-cal role, no harm, no foul.” However, he tells recruits, if they want to get promoted, they will need soft skills.

“If you’re happy with a technical role, it will largely limit a path to management if you don’t have soft skills,” says Jack Daniel, technical product manager at Tenable Network

Security. That’s OK, he adds, “but it does limit your options, and you have to stay on top of your technical skills so you can continue to find jobs and grow in your position.”

This balance of hard or technical skills with soft skills does not just apply to career advancement in infosec. In many fields at the entry level, “technical skills will help open the door, possibly even more than soft skills, depending on the field and what is needed,” says Lisa Prior, principal at Newton, Mass., U.S.-based Prior Consulting LLC, a firm that special-izes in organizational and leadership effectiveness. “But what we know is that after 10 years in a career, soft skills or skills

18 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

Filling the

(Soft) Skills Gap

A balance of technical and soft skills opens doors to career advancement. by COLLEEN FRYE

YOUR TECHNICAL SKILLS MAY OPEN THE DOOR TO AN INFOSEC CAREER, but your soft skills will keep the door open to career advancement. “Soft skills” refer to a person’s Emotional Intelligence Quotient (EQ), a cluster of personality traits and attributes such as verbal and written communication skills, conflict resolution and negotiation skills, listening skills, empathy, and more.

ISSUE NUMBER 20 INFOSECURITY PROFESSIONAL 19

for Boosting Your Soft Skills

Are soft skills innate, or can they be taught and mentored? “Who you are might not change, but the assumptions you make can change. Your behaviors can change, along with your willingness to work on them and change with them,” says Lisa Prior, principal at Prior Consulting LLC.

The following are some suggestions for honing your soft skills:

✔ Build your self-awareness. One of the best ways to do that is to get feedback from others, says Prior. For example, she says, ask your colleagues how they think you handled a meeting, and what you could improve. And seek out literature that identifies key competencies that employers look for.

✔ Do a gap analysis on yourself. “Ask what skill sets should I have, what do I have, and how do I bridge that gap. Say I need to learn to write reports. Take a class, make fake ones, and seek advice,” says Jacquet.

✔ Work on your presentation skills. “If there’s an opportunity to be mentored, start acting as the repre-sentative of your security team in different situations, with guidance at first. You need to take a risk and get out there,” advises Garcia.

✔ Develop skills for handling conflict and negotiating situations. Take ownership and responsibility for resolving issues, and make yourself the go-to person. Then pass it on, says Prior. “The person who’s willing to share and see someone else be successful becomes a future leader.”

of emotional intelligence begin to matter more and technical skills become somewhat less important.”

According to the 2012 Talent Shortage Survey from ManpowerGroup, employers from around the world cited the top reasons for the difficulty in filling jobs as lack of available applications or no applicants (33%), lack of tech-nical competencies or hard skills (33%), lack of experience (24%), and lack of employability skills or soft skills (18%). In the Americas, 15% of employers reported that applicants lack soft skills or employability skills. The top soft skills today’s employees are lacking, according to U.S. employers, are enthusiasm and motivation, professionalism (personal appearance and punctuality), interpersonal skills, attention to detail, collaboration and team work ability, and flexibility, adaptability, and agility.

Industry observers agree that the infosec field does tend to have a shortage of soft skills. “We mention this quietly in the background; there is a sort of a nerd factor,” says Bill Sieglein, founder and CEO of CISO Executive Network. “We meet folks who are very talented in infosec, but in round-tables you can quickly identify who will rise and who will hit a ceiling. They communicate in a nerdy fashion and business doesn’t understand.”

So what exactly are employers looking for? For CISOs, says Sieglein, “Number one is the ability to communicate with business leaders, to translate complex security language to business language. The second is team skills—you can’t be a lone wolf. You have to rely on people across the company and communicate with staff.”

For infosec staff, it depends on the role, Garcia says. Some are very technical, such as reverse-malware engineering. “The perfect person probably has a database background, hardcore software development skills, and has moved into security.” But for someone responsible for PCI certification, he says, they not only have to have hard technical skills like encryp-tion, “but they’ll be communicating on a daily basis to both technical and nontechnical people. The CISO interviewing them should be picturing them talking to business units or talking to the team that works for CIO. So they have to speak well, and write well.”

Daniel agrees. “Public speaking and writing has a real impact on your career path. One of the ways you build up a reputation in the field is by writing, whether that’s white papers, technical writing, blogs, webcasts or podcasts.” He says infosec professionals can also hone writing and speaking skills at their local ISSA chapters or at regional conferences.

Other key soft skills include being a good listener and pos-sessing the ability to work well with others, Sieglein says.

A sense of humor can also be valuable for those in public-facing roles, says Daniel. “Humor is part of the way you can soften a situation,” he says, but warns, “a little humor goes a long way, but it can be completely overdone.”

What an employer looks for is a fit for their culture, says Prior. “If humor is part of that organization’s culture, then it’s a quality they’ll look for. The more desirable things are how you are at getting along with others, how effective you are at

managing conflict.” And that, she says, can come down to self-awareness.

“Self-awareness is one of the most important career skills—the ability to understand how you’re perceived in the workplace is critical to your success.” Also, she says, do you take the initiative and have responsibility and ownership for resolving issues without a lot of direction? Do others come to you as the go-to person? “Early in a career, those are skills that are important, and a characteristic that endures.”

For David M. Jacquet, president of InfoSecGroup, an infosec services consulting company in Portland, Maine, the bottom line for soft skills is, “someone who knows how to interact with people.” He adds, “A lot of my guys talk to boards of directors; they can’t be geeking out … soft skills have got to be there.”

Colleen Frye is a freelance writer and editor in Franklin, Mass., U.S.

TIPs

20 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

Q&AEXPERTS ADDRESS TRENDING SECURITY TOPICS

Mastering Security and InnovationPATRICK C. MILLER is President and CEO of EnergySec, and Principal Investigator for the National Electric Sector Cybersecurity Organi-zation (NESCO). Senior Managing Editor Joyce Chutchian spoke with Miller about trends in cybersecurity and the energy industry.

Q: Tell us about NESCO.Our organization is a non-profit, grassroots association that’s sharing security infor-mation among electric utilities. It started after the Sept. 11, 2001 terrorist attacks, when I worked for a power company in the Northwest. The Olympics were happening in Salt Lake, and after Sept. 11, all of the nearby utilities worked together to pre- vent a terrorist attack on the power system during the Olym-pics. In 2010, the Department of Energy offered NESCO fund-ing, and we expanded the group to include federal agencies, vendors, and academic institutions.

Our primary focus is building relationships. That is, we spend the bulk of the time doing face-to-face meetings. We meet at conferences. We call them our therapy sessions and ask what keeps them awake at night. It’s all about the people. We’re technology agnostic.

Q: What keeps you up at night?Keeping the lights on. We have a spectrum of threats that run from very near-term to long-term future threats. Near term is non-government orga-nizations. We have known terrorists, we have real, motivated organizations and countries that would like to perform high-impact attacks. Out on the horizon, we have long-term threats. The country with the best intellectual property and the energy supply to put it to use will be the next superpower.

Q: What should security professionals be most concerned about?We’re not very good with our soft skills. There are not enough of us and our knowledge transfer isn’t very good; we need to be able to translate our discipline to the next generation. We’re too nerdy.

We need to find ways to com-municate less in terms of ultra technical security speak, and more in terms of risk manage-ment. We should work on pub-lic speaking and writing capa-bilities. It may seem mundane and frightening to technical people, but it will advance our field.

Q: What about the future?Some organizations are put-ting their grid operations ele-ments in the cloud. You don’t build a new electric grid or refinery quickly. We’re taking

something structural and slow-moving and apply-ing warp speed innovation. That becomes mildly explosive. It’s a challenging mix. We need to find a way to merge these things together in a secure, meaningful way. It won’t be solved by a security wizard, or an innovation wizard alone. We need people who can speak both languages. In the future we’ll have a new, hybrid set of people who can translate on both sides, who can advance the economy and business.

Q: What is your advice for security professionals?We need to balance prevention, detection, and response. You don’t rate a safe as unbreakable. You rate it as how long it will take to break into it with certain tools. Our landscape has changed. Preven-tion is not possible. In the Venn diagram, where prevention, detection, and response meet — we need to move toward the overlapping area.

Advancing Information SecurityOne Community at a Time

CHAPTERSprovide opportunities to:

• Network with peers• Exchange knowledge• Meet industry experts• Earn CPE credits• Build leadership skills• Support educational seminars• Promote security awareness

Join or Start a Chapter Today!www.isc2.org/chapters

22 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

(ISC)2 Chapter Leaders Convene in Philadelphia(ISC)2 HELD ITS FIRST LEADERSHIP MEETING with chartering and official (ISC)2 Chapter officers and delegates during the second annual (ISC)2 Security Congress in Philadelphia, Penn., U.S. Officers from nearly 20 chapters worldwide attended, including representatives from Argentina, Sao Paulo (Brazil), Switzerland, and several from the U.S. It was the first opportunity for chapter officers to meet face-to-face and learn about existing and new (ISC)2 Chapter pro-grams and initiatives.

Julie Peeler, (ISC)² foundation director, discussed how the chapters can get involved with (ISC)2 Foun-dation programs, including hosting and mentoring scholarship recipients; volunteering for the Safe and Secure Online program for children, parents, and teachers; and donating to the Foundation to support these programs. As a Safe and Secure Online lead volunteer, Dan Waddell provided valuable insight and experience regarding his involvement and the positive impact it has made on thousands of children. And Mrs. Peeler reminded all (ISC)² members and nonmembers alike to participate in the 2013 Global Information Security Workforce Study (GISWS).

(ISC)² also announced new initiatives in several chapters that are currently in development. Jerry Pitt-man, co-chair of the North American Advisory Board (NAAB), presented details about the (ISC)² Advisory Board/Chapter Engagement Program (ABCEP), which provides a mechanism between the (ISC)² Advisory Board members and chapter leaders to align com-mon goals and objectives, and quickly and efficiently launch programs relevant and beneficial to the local

professional community. Sarah Bohne, (ISC)² global communications manager, presented two of the initial chapter pilot programs: Executive Writers Bureau (EWB) and the NextGen program. Upon successful completion of the pilot phase, these programs will be expanded to advisory boards and chapters in other regions. (For more details, contact Sarah at sbohne@isc2.org.)

Officers from the New Jersey, Philadelphia, and Sacramento (U.S.) Chapters served on a panel and pre-sented their chapter programs and activities. In addi-tion, they answered questions from the audience and provided advice. Officers enjoyed learning about expe-riences from other officers and were excited to learn about new programs. Here’s what some of the attend-ees had to say:

“Thank you very much for organizing such a fantas-tic meeting for the people! We look forward to providing more input and efforts to the local chapter and the cor-porate work as well!”

— Ron Zhang, New Jersey, U.S. Chapter

“Meetings like this, where chapters can discuss their problems, achievements, and possible solutions, go a long way in helping us all to succeed.”

— Marc Noble, National Capital Region Chapter

“I really enjoyed the Leadership Meeting! It was good to see all of the energy and start-up information presented.”

— Darren Singleton, Nashville, Tenn., U.S. Chapter

Additional leadership meetings will be held in 2013. Visit (ISC)² Chapters for more details.

chapter passportMEMBERS CONNECT AND COLLABORATE

Download a copy of the (ISC)2 Chapter Leadership Meeting presentation slides or watch videos at: www.isc2.org/chapter-leadership-2012.aspx.

Julie Peeler, (ISC)2 Foundation Director and Dan Waddell, Lead Volunteer for Safe and Secure Online and member of the North American Advisory Board (NAAB)

Discover the Power of Information at RSA® ConferenceCybercriminals are on the lookout to uncover security weaknesses in your organization anywhere and anyway they can. To stay one step ahead of threats you need access to the latest security innovations and insights.

At RSA® Conference 2013, you will learn from a diverse array of experts as they provide their perspectives on the state of the security ecosystem and uncover how understanding the bigger picture can prepare you. A delegate pass gives you access to:

21 dynamic tracks with 7 new ones including CISO Viewpoints, Enterprise Defense and Security Mashup

275+ information-packed sessions over �ve days

450+ track and keynote speakers

350+ leading-edge exhibitors in our expanded Expo

Save $400 before Friday, January 25, 2013

www.rsaconference.com/isc2

Register Now!

Security inKnowledgeMastering data. Securing the world.

RSA® Conference® Conference®

GlobalDiamondSponsors

GlobalPlatinumSponsors

GlobalGold

Sponsors

PlatinumSponsors

GoldSponsors

SilverSponsors

24 INFOSECURITY PROFESSIONAL ISSUE NUMBER 20

Be Aware of Security AwarenessYES WE KNOW. We information security profes-sionals tend to be a little bit drastic sometimes when it comes to applying methods and controls. In fact, we’ve always known we are! Moreover, this task of constantly being aware of mitigating risk factors gives us an incredible amount of conscience that allows us to discern between how frustrating a security implemen-tation could be versus convenience.

In other words, the task of understanding the processes and risks associated with them is a funda-mental part of the mission of an infosec professional. Therefore, it is necessary to consider all possible angles of a given situation in order to, whenever practicable, provide a solution that would minimize negative impacts to assets and therefore the enterprise.

While the previous paragraph proves a literary intake for anyone who practices security methods routinely, the truth is, the majority, unfortunately, do not. Either they are not encouraged enough or they simply find them tedious or annoying. Security prac-tices are yet to be commonly recognized in our day-to-day activities. If you still haven’t considered this a fact, then you should.

This and nothing else is what makes the user feel reluctant to security measures. If we were able to adopt security practices as a culture or as something that was part of our actions and perhaps our thinking, they would not see them as an imposition but rather a method of protection for the common good.

The fact that, “the most common password used by global businesses is ‘Password1’ because it satisfies the default Microsoft Active Directory complexity setting”, according to Trustwave’s 2012 Global Security Report, indicates the lack of end-user security awareness.

That’s why security awareness is so important. By no means are we saying this is the key to solve ALL of our issues, but merely fundamental to succeed in the implementation of a security plan. Of course, we already knew this, didn’t we?

Here’s the catch: although the benefits of awareness are well known in our community, it seems to fall to the end of our priority list.

Reactive oriented security layers take precedence over proactive when initiating security programs;

not only because they are the hands-on-operational-related ones — the easiest and quickest ones to imple-ment in comparison — but business wise, they are the ones that allow you to present metrics and return on investment to management. After all, big shot execu-tives like that, right?

Many would argue that awareness is hard to imple-ment because of the lack of support from management. That’s a tragic truth. Following is a list of suggested tasks for revitalizing or beginning awareness initia-tives in your organization:

Include strategic numbers in policies. Now that the company has agreed to implement a security program in the organization — with no awareness budget of course — be sure to include one or two subsections pertaining to awareness. For instance, in the “Acceptable Information Resources Use Policy”, make sure to include instructions for employees to turn off their PCs after a shift is over if it’s not necessary to leave it on.

Screen savers to the rescue. If there’s support for a security program within a company, a domain is likely already in place. Talk to the IT department and use your domain policies to set up the company’s screen saver. Be creative with your messages!

Use email. Send email messages to everyone in the company. Try to send insightful, but most of all, short messages. And it is not SPAM if you get consent from management — and believe me you will — if you ask them to base their decision on the fact that those messages a) could potentially save the company from an incident and b) they won’t add a penny to the budget.

Use the phone system. This is a long shot but worth a try. Record awareness tips to include on the phone system when calls are place on hold.

Talk in person. Maybe you won’t have time to prepare a 30-minute presentation about awareness, but EVERY time there is an opportunity, talk about safe practices and the importance of protecting the company’s assets.

Pedro D. Navarro, CISSP, coordinates PCI-DSS compli-ance and IT Incident Response for Asociación Cibao de Ahorros y Préstamos, a financial institution in the Dominican Republic.

global insightINTERNATIONAL INFORMATION SECURITY PERSPECTIVES

Receive a new webcast each week.

(ISC)2 members must stay current in the evolving world of software security. This series of webcasts will provide you with a new webcast each week focusing on securing a different phase of the software lifecycle. It will show you what security measures need to take place at the beginning in the requirements phase, how security must be built in the design phase, and how to test if the application is resilient enough to withstand attacks in the testing phase.

Also, this series will feature a webcast on the value of the CSSLP and how to study for the exam. Connect with us:

www.isc2intersec .comwww.twitter.com/isc2www.facebook.com/csslp

FREE

(ISC)2 ® Webcast on

Securing the SDLC. www.isc2.org/csslppreview.aspx

Is your software open to attacks?

Slam the Door by Learning Best Practices for Securing the SDLC.