Fall World 2017

Conference & Exhibit

Attend The #1 BC/DR Event!

Summer Journal

Volume 30, Issue 2

Full Contents Now Available!

Jon Seals

Jon Seals

Change Management is a hot topic lately on my social media channels. Like my friend Jon Hall, I also am a long time veteran of the classic Change Advisory Board (CAB) process. It almost seems medieval: a weekly or bi-weekly meeting of all-powerful IT leaders and senior engineers, holding court like royalty of old, hearing the supplications of the assembled peasants seeking various favors. I’ve heard the terms “security theater” and “governance theater” applied to unthinking and ritualistic practices in the GRC (governance, risk, and compliance) space. The CAB spectacle, at its worst, is just another form of IT theater, and it’s time to ring that curtain down.
 
As a process symbolizing traditional IT service management and the ITIL framework, it’s under increasing pressure to modernize in response to Agile and DevOps trends. However, change management emerged for a reason and I think it’s prudent to look at what, at its best, the practice actually does and why so many companies have used it for so long. 
 
This was the topic of my most recent research, “Change Management: Let’s Get Back to Basics.” In that report, I cover the fundamental reasons for the Change process. It has legitimate objectives — coordination, risk reduction, audit trail — that do not go away because of Agile or DevOps. The question is rather, how does the modern, customer-led, digital organization achieve them? The classic “issue a request and appear before a bi-weekly CAB” is one way to achieve the desired outcomes — and likely not the most effective means, as I discuss.
...

In the past, security breaches were viewed as a single event occurring at a certain point in time. However, this is no longer the case. Security threats now rarely occur as singular events, and a new kind of attack is on the rise: Advanced Persistent Threats (APTs). An APT is a network attack in which an unauthorized person or device gains access to a network and, instead of immediately stealing data or damaging infrastructure, stays there for a long period of time, remaining undetected. It could even occur from a device or person with proper security clearance, thus appearing as normal activity. It is much harder to detect these attacks as they are typically small in scope and focus on very specific targets (usually in nontechnical departments where security threats are less likely to be noticed or reported), and occur over a period of weeks or even months.

In 2014, RSA, a cybersecurity company was called into the U.S. government’s Office of Personnel Management to fix a low-level problem. Upon arrival, RSA discovered that there were intruders in the company’s network, and they had been there for over 6 months routinely stealing data in an organized yet inconspicuous manner. If not for the coincidental security check from RSA, the organization would have never noticed the breach. Ironically, the door into the system was unwittingly opened by an employee who accidentally downloaded malware from a spearphishing attack, much like the google docs cyber attack that took place in May. The employee was quickly informed and asked to change his password: he and his company thought the breach ended there, but it continued for months undetected.

...

http://www.enaxisconsulting.com/big-data-drawing-insight-from-security-breaches-blog/

Severe weather across the United States in May resulted in combined public and private insured losses of at least $3 billion.

Aon Benfield’s latest Global Catastrophe Recap report reveals that central and eastern parts of the U.S. saw extensive damage from large hail, straight-line winds, tornadoes and isolated flash flooding during last month’s storms.

The most prolific event? A May 8 major storm in the greater Denver, Colorado metro region, where damage from softball-sized hail resulted in an insured loss of more than $1.4 billion in the state alone.

...

http://www.iii.org/insuranceindustryblog/?p=5090

Automation gets a bad rep these days, what with public fear that robots will take over jobs (an invalid assumption – we will be working side by side with them).

However, if you asked the most diehard Luddites if they were ready willing to give up the following:

  • Depositing a check using a mobile app
  • Ordering products on Amazon to receive the next day
  • Accepting a jury duty request online

...they would probably hesitate.

...

http://blogs.forrester.com/chris_gardner/17-06-08-automation_for_the_better_good_security

The Business Continuity Institute

New and evolving threats combined with persistent resource challenges limit organizations’ abilities to defend against cyber intrusions, and 80% of security leaders now believe it is likely their enterprise will experience a cyber attack this year. Despite this, many organizations are struggling to keep pace with the threat environment.

ISACA's State of Cyber Security Study found that more than half (53%) of survey respondents reported a year on year increase in cyber attacks for 2016, representing a combination of changing threat entry points and types of threats. IoT overtook mobile as primary focus for cyber defenses as 97% of organizations see a rise in its usage. As IoT becomes more prevalent in organizations, cyber security professionals need to ensure protocols are in place to safeguard new threat entry points.

62% reported experiencing ransomware in 2016, but only 53% have a formal process in place to address it - a concerning number given the significant international impact of the recent WannaCry ransomware attack. Malicious attacks that can impair an organization’s operations or user data remain high in general (78% of organizations reporting attacks).

Additionally, fewer than a third of organizations (31%) say they routinely test their security controls, and 13% never test them. 16% do not have an incident response plan.

“There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” said Christos Dimitriadis, board chair and group head of information security at INTRALOT. “Cyber security professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”