News

ciso news



1 Global CISO Forum Announced in Wake of LinkedIn Breach

EC-Council is launching the Global CISO Forum to address the increasing demands faced by top-level information security executives. The IS landscape has never been so fraught with attacks as evidenced by the recent LinkedIn password fiasco or by Google sending warnings of state-sponsored attacks to gmail account holders. The Forum, which will take place in conjunction with EC-Council’s premier IS conference, Hacker Halted, will focus on bringing together CISOs from around the world to discuss how the constantly changing security challenges affect the day-to-day lives of CISOs from the largest and most prestigious organizations.

A few of the topics to be discussed will include integrating wargames into security strategies, recruiting, training, and managing superior security teams; data loss prevention; as well as internally branding and integrating a security program while aligning it with business objectives. The diversity of topics that will be covered hint at the breadth of issues with which an average CISO must contend in order to succeed at keeping their organizations’ data safe. “The cybersecurity war is becoming more complicated by the day.” says Jay Bavisi, President of EC-Council. Mr. Bavisi went on to say, “EC-Council’s Global CISO Forum is an event that aims to bring together the world’s best and brightest CISOs to unite against the hackers and share information.”

One reason for continued breaches, according to the recent Wisegate report, could be the changing role CISOs are playing within their organizations. The report documents how CISOs are now more than ever being charged with an ever-expanding suite of responsibilities ranging from managing the conflicts that arise from the differing goals of IS and business development, to developing privacy policies and disaster recovery plans. The Global CISO Forum aims to address these challenges, partly through formal panel-based discussions, but also by bringing together the top minds in the CISO world and encouraging an atmosphere of best practice sharing. One aspect of the fight for information security that’s long been observed in the industry is the tendency for “the bad guys” to do a better job of information sharing than the guardians of the world’s information. According to Dave Cullinane, CISO at eBay, “Continuous process improvement is happening on the dark side. Our adversary is sharing information quite effectively. We are not. We must begin immediately to do so – and do it far more effectively than ever before. We need to shift the balance of power back to the Good Guys.”

For more information and inclusion in the Forum, interested CISOs can apply to attend here: http://www.eccouncil.org/resources/ciso-executive-summit

Read the full story at http://www.prweb.com/releases/2012/7/prweb9675634.htm

To read more please click HERE
2 CISOs To Huddle In Wake Of LinkedIn Breach, Gmail Warnings

The EC-Council invites security chiefs to get together before Halloween and decide how to bedevil their adversaries.

The EC-Council, the body behind the Certified Ethical Hacker certification, will convene a Global CISO Forum in Miami on Oct. 29 and 30, open only to a limited number of senior information security executives, to discuss a security landscape that is increasing in complexity and alarming Internet users. Apparently, when attackers start ripping off and decrypting large caches of LinkedIn’s hash-encrypted passwords and state-sponsored attacks are a big enough threat to Gmail users that Google has to issue warnings, it’s time for the world’s CISOs to huddle.

The summit, scheduled in conjunction with the EC-Council’s IS conference, Hacker Halted, will gather CISOs from the world’s “largest and most prestigious” enterprises to talk about how these types of extreme events affect their companies and what to do about it.

But what can a forum like this do to prevent data breaches? For one thing, it provides a venue for the exchange of ideas and information. For a long time, attackers have been well-organized and shared information freely. “But due to proprietary, governmental and other borders, we guardians of information do not share information as well as they do,” says Amber Williams, manager of strategic initiatives at the EC-Council. “This forum is designed to promote exchange of ideas and discussion, with six to seven experts per panel topic who will elicit a lot of responses from the audience as they go along.”

That’s all well and good, but, according to Danny Lieberman, CTO of Software Associates, most CISOs and infosec professionals already know what needs to be done for appropriate security countermeasures. For example, encryption is a cornerstone of securing data at rest, and our latest InformationWeek Strategic Security Survey recommendation list includes better vetting of service providers.
The problem is getting the CEO to agree.

While the EC-Council’s Hacker Halted events see increasing attendance year on year, says Williams, the council is capping attendance for the Global CISO Forum at 200. The goal is to make high-level executives feel free to talk about not just best practices but the struggles they have had without fear of hurting their brands, she says.

You know the EC-Council is getting serious when it talks about “integrating war games into security strategies.” Other topics of discussion planned for the summit include recruiting, training, and managing superior security teams; data loss prevention; and internally branding and integrating a security program while aligning it with business objectives. In fact, the EC-Council says one reason for continued breaches is the conflicts that arise from the differing goals of security and business development teams. The forum intends to address this issue and others not only through panels but also by encouraging an atmosphere of best-practice sharing.

It’s great that the EC-Council and CISOs are on fire about this. But it’s also clear that without approval from the CEO, anything with a price tag that doesn’t have demonstrated business value will go nowhere. That is why CISOs should pay special attention to the part about aligning with business objectives.

What CISOs should really be asking at this forum, says Lieberman, is how their peers develop a real business case to present to the CEO. How do I put together a threat model and evaluate the risk? How do I get the CFO on board before I go to the CEO? Lieberman illustrates a sample exchange, where the CISO is prepared to say to the CEO, “There is X percent chance someone will steal our company’s intellectual property. I have put together a team to evaluate the risk, and that is its finding. It will cost $20 million if this IP theft occurs. I need a couple more employees and $1 million to buy hardware and software to protect that $20 million worth of IP.”

Better yet, have the CFO on the team that helped put together this analysis, something the EC-Council plans to address. “Because we are inviting mostly C-levels, they will report to a board or another C-level executive,” says Williams. “Part of what we want to share is how to brand a security program internally and sell it to the board, C-level executives, and the whole company. And in the case of governments, sell it to the many layers of government workers.”

Another concern for many security chiefs, says Alan Shimel, managing partner at The CISO Group, is the changing nature of the threat. Many CISOs at work today came into that role during a time when financial fraud and cybercrime were the motives for attacks, says Shimel. “Now we have hacktivists and people who are financially motivated, but instead of looking for personally identifiable information, they’re looking for intellectual property,” he says. “Due to these different motives, hackers use different attack vectors.”
Announced speakers for the event include Eddie Schwartz, CISO for RSA; Joe Albaugh, CISO at the Federal Aviation Administration; Ron Baklarz, CISO at Amtrak; and Richard T. Rushing, CISO for Motorola Mobility.

To read more please Click HERE



3 China's CNOOC lauds Canadian approval of Nexen buy

The recent increase in security breaches has caused many organizations to put a greater emphasis on improving the skills of the information security (IS) workforce. Research shows IS certifications lead to improved job performance and higher returns on investment. EC-Council’s Chief Information Security Officer Certification (C|CISO) equips CISOs with the most effective toolset to lead a high performing information security program and defend the company from cyber attacks.

High-Performing Information Security Program
February 14, 2012, Albuquerque, NM- Recent research by Ponemon Institute has shown that the average cost of cybercrime has increase by 56%. The complex and dynamic nature of the current risk landscape is causing organizations to put a greater focus on training of its workforce. A current study by Global Knowledge cites that managers believe certified information security professionals are 80% more effective at their jobs post certification. Further, studies show that investing in certifications can yield higher return on investment (ROI).
According to a study by IBM, “When business partners are grouped by the number of certified individuals on staff, those with higher levels of certifications exhibit measurably higher revenue per certified individual, and the value of each additional certification improves team performance.” IBM estimates that every $1 invested in learning and certifications averages a return in revenue of $345. In addition to an increase in revenue, certifications improve team performance by 11%.


The need for having a highly skilled information security team has never been greater. Jay Bavisi, President and Co-Founder of EC-Council, stated “The information security industry has changed tremendously in the past few years. This year alone, large corporations and governments around the world have suffered devastating and extremely costly cyber attacks. With the need to fulfill the IS industry’s growing needs for strong leadership, the Chief Information Security Officer Certification (C|CISO) was designed to complement the use of high-end technology with empowered and experienced executives who are ready to direct the information security team in today’s complex environment.”
EC-Council’s Chief Information Security Officer Certification prepares Chief Information Security Officers (CISOs) to defend their organizations from security breaches by actively improving the current information technology security solutions, enforcing regulatory requirements and aligning IS with the strategic needs and goals of their organization.

This skill set enables the CISO to be the best guardian of their organization’s digital assets. For more information about C|CISO, please visit: http://www.eccouncil.org/ciso.


According to SC Magazine companies that employ a CISO to lead an effective IS program are 10 times less likely to experience costly security breaches. Today’s risk landscape makes it almost impossible to protect against data loss and theft without the skills of a highly trained IS leader, like a CISO. Certifications provide the CISO with the tools needed to effectively protect the organization from cybercrime. To view additional CISO resources, please click this link.


Contact:

Marissa Easter – Marketing Communications Specialist (marissa.easter@eccouncil.org)


About EC-Council’s Chief Information Security Officer (C|CISO) Certification:
C|CISO is the first certification of its kind to equip Information Assurance leaders with the most effective toolset to defend organizations from cyber attacks. It recognizes an individual’s accumulated skills in developing and executing an information security management strategy in alignment with organization goals. Applicants can take advantage of the Grandfather Provision until December 31st, 2012. The Grandfather Provision is open to highly-skilled and experienced professionals who can demonstrate and prove proficiency in the 5 C|CISO domains. For more information about C|CISO, please visit: http://www.eccouncil.org/ciso


About EC-Council:

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cyber security and e-commerce. It is the owner and developer of 20 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI), Certified Security Analyst /Licensed Penetration Tester (ECSA/LPT) certification and Certified Chief Information Security Officer (C|CISO). EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. EC-Council’s certification programs are offered by over 450 training centers across 87 countries. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. Department of Defense via DoD 8570.01-M, the Montgomery GI Bill, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted information security conferences. For more information about EC-Council visit www.eccouncil.org, follow @ECCouncil on Twitter, LinkedIn or visit EC-Council’s Facebook page.


4 Research Proves Best Performing Companies Employ a CISO with a High-Performing Security Program
Research done by SC Magazine proves that organizations that have a Chief Information Security Officer (CISO) have higher profit margins, generate more revenue, and display increased productivity.

January 31, 2012, Albuquerque, NM- EC-Council has released a new white paper that gives comprehensive strategies to CISOs on leading a high-performing information security (IS) program. According to research done by SC Magazine, companies that have an active CISO role and high-performing security program generate more revenue, spend less money, are more productive, and have reduced risks. However, the complexities and challenges of the organization’s infrastructure create daily traps that distract IS teams from carrying out tactical and strategic functions.

An effective CISO and well-run information security program can save a company almost 10% of total revenue. SC Magazine’s “Want to Reduce IT Risk and Save Money? Hire a CISO” article cites that this saving in gross revenue is accredited to a decreased risk of data loss and theft. Further, the article cites that the most successful companies that employ a CISO to lead an effective IS program are 10 times less likely to experience costly security breaches.
High-Performing Information Security Program

Todd Bell, Executive IT Security Advisor at ConnectTech, LLC., says “Today’s threat landscape requires CISOs to develop and implement a high-performing information security (IS) program. One of the biggest challenges is not letting the torrent of corporate issues interfere with the overall effectiveness of the IT security team.” Bell, a speaker at EC-Council’s CISO Executive Summit in December 2011, was inspired by his panel role in the “Implementing a High-Performing Information Security Program” discussion and developed a how-to-guide for CISOs on leading a high-performing IS program. To view the White Paper, please go to: http://goo.gl/pxmY5
“Simply put, CISOs contribute to better business results by ensuring security measures are fully implemented, standardizing and automating procedures, and by taking a strategic role with the organization to make information security a part of a business process.” Affirms Jim Hurley, managing director of Symantec’s IT Policy Compliance Group.

EC-Council is committed to providing Information Assurance Executive Professionals with the latest Information Security news and trends from the industry’s leading experts. Readers of this White Paper are also encouraged to look into EC-Council’s Certified Chief Information Security Officer (C|CISO) Certification and EC-Council’s CISO Executive Summit Series. To view the full report complete with key takeaways from the CISO Executive Summit or to attend or speak at upcoming CISO Executive Summits, please click here. If you would like to receive more information about EC-Council’s Chief Information Security Officer Certification program,

please click here.
Contact:

Marissa Easter – Marketing Communications Specialist (marissa.easter@eccouncil.org)


About EC-Council’s Chief Information Security Officer (C|CISO) Certification:
C|CISO is the first certification of its kind to equip Information Assurance leaders with the most effective toolset to defend organizations from cyber attacks. It recognizes an individual’s accumulated skills in developing and executing an information security management strategy in alignment with organization goals. Applicants can take advantage of the Grandfather Provision until December 31st, 2012. The Grandfather Provision is open to highly-skilled and experienced professionals who can demonstrate and prove proficiency in the 5 C|CISO domains. For more information about C|CISO, please visit: http://www.eccouncil.org/ciso


About EC-Council:

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cyber security and e-commerce. It is the owner and developer of 20 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI), Certified Security Analyst /Licensed Penetration Tester (ECSA/LPT) certification and Certified Chief Information Security Officer (C|CISO). EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. EC-Council’s certification programs are offered by over 450 training centers across 87 countries. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. Department of Defense via DoD 8570.01-M, the Montgomery GI Bill, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted information security conferences. For more information about EC-Council visit www.eccouncil.org, follow @ECCouncil on Twitter, LinkedIn or visit EC-Council’s Facebook page.



5 Changes in Economic Climate and Business Landscape Call for a New Strategic Business Development Process – Wargaming

Fewer resources and smaller budgets are motivating Chief Information Security Officers (CISOs) to transition from an operational executive into a strategic business partner. To excel in today’s evolving and complex business landscape, CISOs must look for a new strategic business development process, such as Business Wargaming. Wargaming will help provide a holistic view of prospective scenarios, create a proactive development plan and an improved reactive strategy.

January 27, 2012, Albuquerque, NM- Today EC-Council releases a new White Paper that introduces an alternative method to conventional CISO practices. As the business landscape becomes more complex and adjusts to stricter policies, increased competition, budgets cuts and limited resources those in the Chief Information Security Officer (CISO) position must develop a strategy that will accommodate and meet the needs of the organization. Business wargaming will help the CISO develop a plan where they can foresee future challenges, predict the moves of their competitors and stay ahead of prospective obstacles.

Nitin Kumar, global executive and managing consultant, published a White Paper “Wargaming for CISOs” in EC-Council’s CISO Series of White Papers, he stresses, “To excel in this new business landscape, CISOs need to look at a new strategy development process which will help making decisions realistic at a minimal risk and achieve full strategic and operational alignment.” To read the white paper, please visit: http://goo.gl/XQPFa
In this White Paper, Nitin Kumar reviews the shortcomings of the conventional CISO strategy and guides the reader through the development of the wargaming strategy by examining wargame types, levels and execution. He suggests ideal circumstances for wargaming and highlights benefits of using this strategy. The White Paper includes tactics that will help the CISO manage the challenges and high demands that come with the role.

Business wargaming adapts the art of simulating moves and counter-moves in a commercial setting. Business war games are a relatively recent development, but they are growing rapidly, and the time has come for CISO organizations to adopt this technique in order to stay ahead of the game.

The CISO position has been around for less than a decade. In that time it has evolved dramatically. Neira Jones, head of payment security for Barclaycard, said in the article “How the Role of the CISO Must Evolve to Balance Risk and Business”, due to the changing business landscape, “The CISO needs to evolve from an isolated subject matter expert and analyst to a trusted advisor on how technology can improve business; to an integrated business thinker, facilitator, leader, evangelist and educator.”

Business Wargaming will help executives develop plans that meet their strategic goals, create competitive advantage, and elevate the pressure felt by the complex and ever-changing nature of today’s business landscape.

EC-Council is committed to providing Information Assurance Executive Professionals with the latest Information Security news and trends from the industry’s leading experts. If this White Paper is of interest, it is encouraged to also look into EC-Council’s Certified Chief Information Security Officer (C|CISO) Certification and EC-Council’s CISO Executive Summit Series.


Contact:

Marissa Easter – Marketing Communications Specialist (marissa.easter@eccouncil.org)


About EC-Council’s Chief Information Security Officer (C|CISO) Certification:
C|CISO is the first certification of its kind to equip Information Assurance leaders with the most effective toolset to defend organizations from cyber attacks. It recognizes an individual’s accumulated skills in developing and executing an information security management strategy in alignment with organization goals. Applicants can take advantage of the Grandfather Provision until December 31st, 2012. The Grandfather Provision is open to highly-skilled and experienced professionals who can demonstrate and prove proficiency in the 5 C|CISO domains. For more information about C|CISO, please visit: http://www.eccouncil.org/ciso


About EC-Council:

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cyber security and e-commerce. It is the owner and developer of 20 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI), Certified Security Analyst /Licensed Penetration Tester (ECSA/LPT) certification and Certified Chief Information Security Officer (C|CISO). EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. EC-Council’s certification programs are offered by over 450 training centers across 87 countries. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. Department of Defense via DoD 8570.01-M, the Montgomery GI Bill, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted information security conferences. For more information about EC-Council visit www.eccouncil.org, follow @ECCouncil on Twitter, LinkedIn or visit EC-Council’s Facebook page.
6 Global Increase in Outsourcing Leaves Companies Open to Information Security Breaches

Companies must find ways to manage the benefits and risks of outsourcing as almost two-thirds of Information Technology (IT) infrastructure is predicted to be outsourced within the next 8 years. EC-Council CISO Summit panel discussion suggests that increased information security compliance plans, continuous education, and knowledge sharing may prove to be the best solution.

January 23, 2012, Albuquerque, NM- Global economic troubles have motivated many companies to seek alternative means of conducting business that will cut costs and maximize profits. One of the most popular and effective methods is outsourcing Information Security (IS) infrastructure. According to a recent study commissioned by Savvis, Inc. this number is predicted to increase from 17% to over 64% globally by 2020. Security outsourcing has its benefits; however, it also comes with an array of risks.

Jeff Tutton, President of Global Security and Compliance at Intersec Worldwide, recently lead an interactive panel discussion centered on outsourcing and information security management at EC-Council’s Inaugural CISO (Chief Information Security Officer) Executive Summit in Las Vegas held from Dec 5-6th. Jeff Tutton was joined by Todd Bell, Executive IT Security Advisor, ConnectTech, LCC, Inno Eroraha, Founder & CEO, NetSecurity Corporation, Chris Oglesby, Senior VP, Knowledge Consulting Group, and Edward Ray, CISO, MMICMAN, LLC. The panel discussion addressed the challenges of managing risk and monitoring the outsourcing company’s performance, while complying with recent industry changes such as SAS70 and PCI compliance. To view an interactive video of the panel discussion, please visit: http://goo.gl/SwxEj

“The challenges of outsourcing are similar to those you may have with the acquisition (insourcing) process. When acquiring a new company you need to ensure that due diligence has been completed prior to acquisition and integration, as you now will be responsible for the security of that company’s data. This is the same with outsourcing,” said Tutton. “Hire a trusted and qualified third party to complete a thorough evaluation of the outsourcing company. But don’t just stop there, put in place methods and controls to monitor and maintain the security of this data during the entire lifecycle. Trust but verify, and assign responsibility to a qualified person within your organization to manage and maintain oversight of security. Another option is to outsource only the data and systems that you want to end up in the public domain.”

Tutton’s panel discussion presented a detailed overview of the benefits and challenges of outsourcing in respect to Information Security (IS). Globally, over 60% of organizations cite that managing the IT infrastructure domestically does not have any competitive advantages and are planning to move operations offshore. However, many offshore companies do not have the same legal restrictions as the United States. For instance, India, one of the biggest destinations for offshore outsourcing, does not have any data privacy laws. This lax in law enforcement leaves confidential information vulnerable to security breaches.

Last year, Epsilon, a cloud-based email service provider, suffered a security breach that landed up affecting around 75 clients and compromised over 60 million personal names and email addresses. Security breaches such as this can be extremely costly and detrimental to a company’s reputation.
“If an organization is looking to do a large infrastructure outsourcing engagement, the best way to ensure that security is a priority is to build a comprehensive list of security requirements into outsourcing contracts, develop appropriate service level agreements and reporting mechanisms to evaluate security and budget for a review by an independent assessment organization – this will ensure that security always stays top of mind,” said panel speaker Chris Oglesby. “If, however, the decision is to outsource infrastructure and security separately then the security operations should drive the direction and outcomes and create independence between the organizations to meet the client needs.”

In the future, companies need to employ executive IS leaders who will develop methods to adequately protect their IT infrastructure when outsourcing in-house responsibilities. Platforms, such as EC-Council’s CISO Summit Series, provide a means for top-level IS executives to gather and discuss the latest industry challenges. Continuous education and knowledge sharing will provide solutions to the quandaries top-executives face on a daily basis. For more information on upcoming EC-Council CISO Executive Summits, please visit: http://www.eccouncil.org/cisosummit.

Contact:

Marissa Easter – Marketing Communications Specialist (marissa.easter@eccouncil.org)


About EC-Council’s Chief Information Security Officer (C|CISO) Certification:
C|CISO is the first certification of its kind to equip Information Assurance leaders with the most effective toolset to defend organizations from cyber attacks. It recognizes an individual’s accumulated skills in developing and executing an information security management strategy in alignment with organization goals. Applicants can take advantage of the Grandfather Provision until December 31st, 2012. The Grandfather Provision is open to highly-skilled and experienced professionals who can demonstrate and prove proficiency in the 5 C|CISO domains. For more information about C|CISO, please visit: http://www.eccouncil.org/ciso


About EC-Council:

The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cyber security and e-commerce. It is the owner and developer of 20 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI), Certified Security Analyst /Licensed Penetration Tester (ECSA/LPT) certification and Certified Chief Information Security Officer (C|CISO). EC-Council has trained over 90,000 security professionals and certified more than 40,000 members. EC-Council’s certification programs are offered by over 450 training centers across 87 countries. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. Department of Defense via DoD 8570.01-M, the Montgomery GI Bill, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted information security conferences. For more information about EC-Council visit www.eccouncil.org, follow @ECCouncil on Twitter, LinkedIn or visit EC-Council’s Facebook page.