A CISO Landmine: No Security Awareness Training

blog / Nov 14, 2017 (MODIFIED: Nov 17, 2017)

by Mike Levin, Center for Information Security Awareness

CISOs who fail to prioritize security awareness training are putting their business and assets at serious risk.

Is a Good Offense the Best Defense Against Hackers?

blog / Nov 09, 2017 (MODIFIED: Nov 21, 2017)

by Ray Pompon

Proposed legislation could change existing laws that bars victims of hacking attacks from striking back.

Can Engineers Build Networks Too Complicated for Humans to Operate? Part II: Making Sense of Network Activities and System Behaviors

blog / Nov 02, 2017 (MODIFIED: Nov 14, 2017)

by Mike Simon

How to selectively capture packets for further analysis and avoid buying a storage farm.

Third-Party Security is Your Security

blog / Oct 24, 2017 (MODIFIED: Nov 21, 2017)

by Ray Pompon

When you must depend on third parties for a variety of products and services, it’s critical that you hold them to high security standards.

How to Be a More Effective CISO by Aligning Your Security to the Business

blog / Oct 17, 2017 (MODIFIED: Nov 14, 2017)

by Ray Pompon

Security must align to the business needs, not the other way around. Begin with investigation and understanding to be most effective.

Proposed Legislation Calls for Cleaning Up the IoT Security Mess

blog / Oct 03, 2017 (MODIFIED: Nov 14, 2017)

by Ray Pompon, David Holmes

Legislation is a good first step toward persuading IoT manufacturers (who want to stay in business) to do the right thing when it comes to the security of their devices.

Five Reasons CISOs Should Keep an Open Mind about Cryptocurrencies

blog / Sept 26, 2017 (MODIFIED: Nov 09, 2017)

by Ray Pompon, Justin Shattuck

Far from a dying breed, cryptocurrencies are not only evolving but being accepted in countless new markets. CISOs need to know the ins and outs, pros and cons.

CISOs: Striving Toward Proactive Security Strategies

report / Sept 19, 2017 (MODIFIED: Nov 09, 2017)

by Mike Convertino

As enterprises more closely align their security and IT operations, they still struggle to shift their security programs from reactive to proactive.

Five Reasons the CISO is a Cryptocurrency Skeptic—Starting with Bitcoin

blog / Sept 13, 2017 (MODIFIED: Oct 24, 2017)

by David Holmes

There’s a lot of hype surrounding cryptocurrencies, but what’s good for currency traders may not be great for security-minded professionals.

Six Steps to Finding Honey in the OWASP

blog / Aug 31, 2017 (MODIFIED: Oct 17, 2017)

by Ray Pompon

According to Verizon’s 2014 Data Breach Investigations Report, “Web applications remain the proverbial punching bag of the Internet.” Things haven’t improved much since then. What is it about web applications that makes them so...

Achieving Multi-Dimensional Security through Information Modeling—Executive Threat Modeling Part 3

blog / Aug 23, 2017 (MODIFIED: Oct 10, 2017)

by Ravila White

How InfoSec leaders can build successful threat models by defining the threat landscape and its component resources, then asking simple, situational questions.

Where Do Vulnerabilities Come From?

blog / Aug 15, 2017 (MODIFIED: Sept 26, 2017)

by Ray Pompon

Vulnerabilities are an emergent property of modern software’s complexity, requested features, and the way data inputs are handled.

Can Engineers Build Networks Too Complicated for Humans to Operate? Part I: Scope of the Problem

blog / Aug 03, 2017 (MODIFIED: Oct 30, 2017)

by Mike Simon

This series explores how InfoSec practitioners can use math, technology, and critical thinking to mitigate risk in a world where networks and data have surpassed the scope of human comprehension.

What Are You Doing to Protect Critical Infrastructure?

blog / Jul 25, 2017 (MODIFIED: Nov 10, 2017)

by Mike Levin, Center for Information Security Awareness

Protecting our critical infrastructure is everyone’s responsibility, and there are many ways we can all do our part.

How to Avoid the Six Most Common Audit Failures

blog / Jul 18, 2017 (MODIFIED: Sept 01, 2017)

by Ray Pompon

A veteran auditor told us how organizations fail audits. Here are six detailed strategies to help you achieve success.

Who Should the CISO Report To?

blog / Jul 11, 2017 (MODIFIED: Aug 24, 2017)

by Ray Pompon

Savvy organizations that understand the gravity of cyber security are giving CISOs a voice at the executive table.

The Six Most Common Audit Failures

blog / Jun 29, 2017 (MODIFIED: Aug 15, 2017)

by Kyle Robinson, Senior Manager at Grant Thornton

A veteran auditor walks through where he’s seen organizations fail during audit.

Achieving Multi-Dimensional Security through Information Modeling—The Master Model Part 2

blog / Jun 22, 2017 (MODIFIED: Aug 03, 2017)

by Ravila White

Understanding the customer segment of your organization is critical to developing a strategy that ensures regulatory compliance.

Yak Shaving: CISOs Aren’t Immune

blog / Jun 14, 2017 (MODIFIED: Jul 25, 2017)

by Ray Pompon

Sometimes, CISOs spin their wheels doing useless security activity that only looks productive from the outside.

10 Ways Organizations Can Get Ready for Breach Disclosure

blog / Jun 08, 2017 (MODIFIED: Jul 20, 2017)

by Ray Pompon

Facing data breach disclosure requirements across the globe, organizations need to be prepare in advance to respond well.

The CISO: A Field Guide

blog / Jun 01, 2017 (MODIFIED: Jul 18, 2017)

by Bill Hughes

Learn to recognize different types of CISOs so you can ensure you’re hiring the right one.

How I Learned to Love Cyber Security

blog / May 25, 2017 (MODIFIED: Jul 18, 2017)

by Todd Plesco, CISO of Prescribe Wellness

Cyber security can be a difficult and thankless job, but you can learn to love it when you know how to go about it.

How a CISO Can Play a Role in Selling Security

blog / May 23, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon

More and more CISOs are finding themselves pulled into the sales cycle to defend and sell their security programs. Here’s how to do it right.

Can Your Risk Assessment Stand Up Under Scrutiny?

blog / May 09, 2017 (MODIFIED: Jul 24, 2017)

by Ray Pompon

Risk assessments are a key part of a security program, but their execution and format are highly variable. Regulators can sanction organizations that perform improper or inadequate risk assessments.

Achieving Multi-Dimensional Security through Information Modeling – Part 1

blog / May 04, 2017 (MODIFIED: Jul 18, 2017)

by Ravila White

Information modeling blends lateral thinking and deductive logic. Applied to information security, it’s a powerful technique for designing a security architecture with multi-dimensional controls that minimizes risk and achieves continuous compliance.

7 Upgrades to Level Up Your Security Program Experience

blog / Apr 28, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon

When you feel like you’re losing the security battle, try one, a few, or all of these tips to re-invigorate your program and stay on a positive track.

Executive Impersonation Fraud Is on the Rise—and It Is Working

blog / Apr 20, 2017 (MODIFIED: Jul 18, 2017)

by Mike Levin, Center for Information Security Awareness

Your company could lose hundreds of thousands in an impersonation scam, but here are eight things you can do to protect yourself.

Stalking in the Workplace: What CISOs Can Do

blog / Apr 14, 2017 (MODIFIED: Jul 24, 2017)

by Ray Pompon

Cyberstalking will rise as hacking tools become more powerful and easier to use, but there’s much you can do to help protect victims.

Wait, Don’t Throw Out Your Firewalls!

blog / Apr 04, 2017 (MODIFIED: Jul 24, 2017)

by Wendy Nather, Duo Security

Yes, the perimeter has shifted, but firewalls still have a place in your network. They’re just not alone anymore.

How to Talk Cyber Risk with Executives

blog / Mar 30, 2017 (MODIFIED: Jul 24, 2017)

by Ray Pompon, Sara Boddy

Board level interest in your cyber risk posture is growing, in fact it might be required soon for publicly traded companies. Presenting cyber risk to your board – effectively – means talking in their terms.

Cyber Insurance: Read the Fine Print!

blog / Mar 24, 2017 (MODIFIED: Sept 01, 2017)

by Ray Pompon, Sara Boddy

Purchasing cyber insurance can be useful, but claims are often denied due to policy exclusions or lapses in controls.

Can Audits Help Us Trust Third Parties?

blog / Mar 20, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon

Organizations who outsource need to measure the risk of entrusting their data to someone else. They aren’t easy or cheap, but audits are really the best tool we have.

Will Deception as a Defense Become Mainstream?

blog / Mar 13, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon

Defensive deception works well, but needs championing before we’ll see it as a best practice or compliance requirement.

Five Steps Users Can Take to Inoculate Themselves against Fake News

blog / Mar 06, 2017 (MODIFIED: Jul 24, 2017)

by Michael Levin, Center for Information Security Awareness

Security awareness training can significantly curb users' dissemination of fake news.

A CISO’s Reflections on RSA 2017

blog / Feb 28, 2017 (MODIFIED: Jul 06, 2017)

by Mike Convertino

Recapping RSA 2017: Endpoint Protection, Threat Hunting, and Talent Searching Abound!

Cloudbleed: What We Know and What You Should Do

blog / Feb 24, 2017 (MODIFIED: Jul 06, 2017)

by Lori MacVittie

Definitive steps individuals and organizations can take today to deal with the impact of Cloudbleed.

Building Secure Solutions Successfully Using Systems Theory

blog / Feb 23, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon

When security solutions don’t work as planned, embrace the complexity and use Systems Theory tools to adjust, regulate, and redefine.

The Conflicting Obligations of a Security Leader

blog / Feb 14, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon

Faced with competing pressures, CISOs are ultimately the experts at assessing what’s truly at stake in their organizations.

The Risk Pivot: Succeeding with Business Leadership by Quantifying Operational Risk

blog / Feb 09, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon

Getting the security investments you need often comes down to making your case to management in terms of operational risk.

The Humanization of the Security Leader: What CISOs Need to Be Successful

blog / Jan 23, 2017 (MODIFIED: Jul 06, 2017)

by Ray Pompon

When someone from the IT group gets promoted into security management, a common first lesson is that “geek culture” is ineffective in the boardroom. Just watch one episode of The Big Bang Theory and you’ll recognize the classic nerd character...

stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.