information security

26.11.2017 cyber security, information security, privacy, Privacy by Design, security, security threats Comments Off on Applying Privacy by Design as a Strategy to Reduce Your Attack Surface

Applying Privacy by Design as a Strategy to Reduce Your Attack Surface

We spend a lot of time and money setting up defenses to prevent cyber threats from breaching our organizational perimeters, but we hardly spend any time on the mess we have inside. Applying Privacy by Design principles to the data and systems within your organizations can make it very much harder for cyber thieves to steal your important information when they do finally breach your networks.

Click on the link below to see the presentation I gave at this year’s Cyber Threat Summit in Dublin, Ireland on October 24, 2017:

20171009 ICTTF 2017 presentation – using PBD to reduce your attack surface v1a (CG)

r/Chuck

02.10.2015 computer security, cyber crime, cyber security, ICTTF, information security, security, security threats Comments Off on Message to the Board: Stop being an Ostrich when it comes to Cyber Security – Trust, but verify

Message to the Board: Stop being an Ostrich when it comes to Cyber Security – Trust, but verify

I just gave this presentation to nearly 200 attendees of the ICTTF Cyber Threat Summit 2015 in Dublin, Ireland.

For those of you that attended; thank you!

Through this presentation I hope I was able to communicate three points:

  1. How company/agency executives put their agencies at risk by blindly trusting that they are doing all that can be done to secure their networks, applications and data;
  2. That leadership’s approach to motivating employee’s to practice better cyber hygiene needs to mimic principles of behavioral economics theory that advertisers use; and
  3. By changing the way they ask questions to their senior staff (mainly their CIO/CISO), they can a) have better proof that necessary cyber protections are in-place, and b) they will have a better understanding of the unaddressed cyber risk their company/agency faces.

Enjoy…r/Chuck

30.10.2013 computer security, cyber crime, cyber security, information security, insider threat, leadership, security threats Comments Off on Message to the Board: Why YOU are the reason for insider threats.

Message to the Board: Why YOU are the reason for insider threats.

Enjoy a 20 minute presentation on why executives are the cause for many to most insider threat cases…


 

14.09.2013 counterintelligence, cyber crime, cyber security, Economic espionage, espionage, information security, INSA, insider threat, Risk assessment, security, security threats Comments Off on Message to Government and Private Sector: YOU are the reason for insider threats

Message to Government and Private Sector: YOU are the reason for insider threats

spy v spyEveryone is missing the boat on the insider threat issue – INSA too…to paraphrase James Carville, “It’s leadership stupid.”

Government and private sector organizations are the primary reason for insider threats – senior leaders and the boardroom grow them internally.

With very minor exception, NO ONE COMES TO WORK FOR YOU ON DAY ONE WITH THE INTENT TO HURT YOU, steal your secrets, or sell your intellectual property.

It’s how you treat them, over time, that turns them into insider threats.

  • You put them in the wrong jobs;
  • You fail to trust them;
  • You make it hard for them to do their jobs;
  • You put asshole/untrained managers over them;
  • You treat them like furniture;
  • You , threaten their existence in your companies and agencies;
  • You kill their spirit; and
  • Then, you wonder why they decide to hurt you.

Want to reduce/eliminate the insider threat? Treat you staff the way you did on day one:

  • Welcome them as a human being;
  • Be aware of how they are cared for in your organization;
  • Show them you care about them and their families;
  • Give them a future;
  • Put r-e-a-l leaders over them;
  • Give them a voice; and
  • Pay them well.

In other words, treat them as you would want to be treated.

Now, why is that so hard?

And, why do NONE of the plans I have seen for combatting the insider threat even mention poor leadership as a factor?

INSAonline.org | 9.12.13 Assessing Insider Threat Programs of U.S. Private Sector http://www.insaonline.org/i/f/pr/9.12.13_InsiderThreat_WP.aspx

 

11.10.2012 computer security, counterintelligence, cyber crime, cyber security, Economic espionage, espionage, information security, insider threat, leadership, security, security threats Comments Off on Why can’t Johnny be good? The making of an insider threat

Why can’t Johnny be good? The making of an insider threat

“When Johnny reports to work for you on Day 1, they DO NOT intend to do you or your organization’s information systems any harm; something happens to them, either in their personal or work life that changes this – the CEO’s or Agency Head must be held responsible for making sure they know what’s going on with all of the Johnnys (and Janes) in their organization to prevent the good people they hired from becoming insider threats.”

While most of the world is focusing on “technology” as a solution to preventing insider threat attacks to organization/agency information and systems, hardly anyone is focused on leadership’s responsibility to create and sustain a work environment that minimizes the chance for an employee to turn into an insider threat.

On October 21, 2012, I had the chance to speak on this issue at the 2012 International Cyber Threat Task Force (ICTTF) Cyber Threat Summit in Dublin, Ireland a few weeks ago; here is a video recording of my presentation, I hope you find it informative and useful.

r/Chuck

30.08.2011 cyber security, Evaluation, information security, iso/iec 27001, security Comments Off on NOWHERETOHIDE.ORG completes ISO/IEC 27001:2005 Lead Auditor (TPECS) competency

NOWHERETOHIDE.ORG completes ISO/IEC 27001:2005 Lead Auditor (TPECS) competency

The British Standards Institute (BSI) issued ISO/IEC 27001:2005 Lead Auditor (TPECS) certificate to Chuck Georgo today. ISO/IEC 27001

ISO/IEC 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.

NOWHERETOHIDE will be publishing a series of blog posts over the next few weeks to help educate organizations about the standard, its criteria, and strategies for achieving compliance.

It is important to understand that ISO/IEC certification is not a one-off exercise. To maintain the certificate the organization will need to both review and monitor the information security management system on an on-going basis.