SecurityRecruiter.com's Security Recruiter Blog

Who Wants To Be A Global CISO?

noreply@blogger.com (Jeff Snyder) — Thu, 17 May 2012 22:30:00 +0000

A CIO Conversation

My most interesting days as a security recruiter are the ones where I get to interact with senior leaders within my client companies. Sometimes I deal with security leaders who are adding security talent to their staffs. Other times, I’m on the phone with a Chief Executive Officer, Chief Information Officer, Chief Risk Officer, Chief Compliance Officer, Chief Financial Officer, Head of Human Resources…the list goes on.

By regularly interacting with these non-security business leaders, I'm fortunate to stay fresh in my knowledge and understanding of what the business wants, needs and expects from security leadership.

Today, I was on the phone with the Chief Information Officer of a global $20 Billion Dollar company. We were discussing his need to hire a Chief Information Security Officer (CISO) for the first time. I’ve been fortunate to fill many brand new, newly created positions like this one in my 20+ years of recruiting. This is my favorite kind of search to deliver to.

The greatest value I gain by investing time with stakeholders who will be involved in a hiring decision is the insight I gain into that person’s style and personality. Recruiting is an art rather than a science. Connecting two human beings who will spend more time together in a company than either individual spends at home with their spouse is a highly complex proposition that I take very seriously.

The time this CIO invested with me today puts me in a highly competitive position on behalf of my client to know in a matter of just a few minutes when I’m on the phone with a prospective CISO candidate, that I'm on the phone with the right person. Without this CIO interaction, I’d hit the target but I would be less likely to hit the bulls eye.

What The CIO Needs

In today’s conversation, the CIO talked about his unique corporate culture, the need for me to find a CISO who will help to build out the information security framework, the technology risk management framework and the need for me to find CISO candidates who have worked in global industrial companies like his.

There wasn’t much if any technology discussed in this level of conversation although a CISO candidate who had experience securing large complicated global ERP environments and or large complicated document management / global collaberation environment would be strongly preferred. Most discussion topics centered around business, applications, global risk issues, managerial skills, the need for someone to possess exceptionally strong business-focused communication skills and the need for the CISO to have exceptionally strong executive presence.

Who Might Fit This Job

If you’re a CISO already and your experience somewhere along the way comes from a global industrial company in an industry like manufacturing, consumer products, mining, oil & gas, chemical, etc., you might be a fit. Perhaps you aren’t a CISO but you’re currently a Director or Vice President and you’re ready for the next step up in your career. You might qualify as a candidate for this role.

If you’re on the hunt for CISO Jobs, you’ll find this position on the Security Jobs page of SecurityRecruiter.com or you can call me directly at 719 686 8810.

Jeff Snyder’s SecruityRecruiter.com Security Recruiter Blog

Cyber Security News for the Week of May 14, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 14 May 2012 13:30:00 +0000

From our friends at Citadel Information Group

Cyber Security Commentary - ISSA-LA 4th Annual Information Security Summit

Join us on May 16 for ISSA-LA's 4th Annual Information Security Summit. Keynote addresses by Alan Paller of the SANS Institute, DHS' Bruce McConnell and business coach Chris Coffey. Perfect for business, technology and information security leaders. Nonprofits can attend for free by taking advantage of ISSA-LA's special scholarship fund. Email vp@issa-la.org for more information.

The ISSA Summit provides business leaders with a concentrated, thought-provoking, and valuable education in the nature of these threats, and how organizations can and should mitigate their risks from today's cyber threats. I highly recommend that executives take advantage of this annual event.

Eric Schwab
General Manager
GFI Software

Visit the ISSA-LA Summit Website for more information or to register.

Cyber Crime

Hackers target Twitter spammers in massive account data breach: Summary: A massive breach has led to more than 55,000 Twitter accounts being published on the Web. But it appears the hackers may have targeted spammers over ordinary users. Twitter is investigating after 55,000 account details - including username and password combinations - were published online. ZDNet, May 8, 2012

Hackers breach UMaine servers. Affected students made purchases at computer store: A University of Maine computer server breach by hackers may have exposed personal information, including credit card and Social Security numbers of students, college officials said Thursday. Morning Sentinel, May 12, 2012

Cyber Hacktivists

Activist hackers temporarily block Putin's website: Hackers temporarily blocked President Vladimir Putin's web site on Wednesday, carrying out a promise to disrupt government information portals two days after his swearing-in for another six-year term that has drawn street protests. Reuters, May 9, 2012

Cyber Risk

Is Your Cloud Provider Exposing Remnants of Your Data?: CIO - If your organization uses a multi-tenant managed hosting service or Infrastructure as a Service (IaaS) cloud for some or all of your data and you aren't following best practices by encrypting that data you may be inadvertently exposing it.ComputerWorld, May 10, 2012

FBI: Updates Over Public 'Net Access = Bad Idea: The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms. KrebsOnSecurity, May 11, 2012

DHS: Hackers Mounting Organized Cyber Attack on U.S. Gas Pipelines: For the past six months, an unidentified group of hackers has been mounting an ongoing, coordinated cyber attack on the control systems of U.S. gas pipelines, prompting the Department of Homeland Security to issue alerts. ABC News, May 8, 2012

At the Crossroads of eThieves and Cyberspies: Lost in the annals of campy commercials from the 1980s is a series of ads that featured improbable scenes between two young people (usually of the opposite sex) who always somehow caused the inadvertent collision of peanut butter and chocolate. After the mishap, one would complain, "Hey you got your chocolate in my peanut butter!," and the other would shout, "You got your peanut butter in my chocolate!" The youngsters would then sample the product of their happy accident and be amazed to find someone had already combined the two flavors into a sweet and salty treat that is commercially available. KrebsOnSecurity, May 8, 2012

Financial Malware Tricks Users With Claims of Free Credit Card Fraud Insurance: A piece of financial malware called Tatanga attempts to trick online banking users into authorizing rogue money transfers from their accounts as part of the activation procedure for a free credit-card fraud insurance service purportedly provided by their banks, security researchers from Trusteer said Tuesday. IDG News, May 8, 2012

Hackers Gain Access to Homes Through Webcams: Internet users are becoming vulnerable to hackers who can infiltrate software and gain access to webcams. "The main thing to worry about is when software is able to turn on your camera without notifying you, without the user explicitly turning it on, that's the main issue," said Feross Aboukhadijeh, a student at Stanford University in California.Information Week, May 9, 2012

Cyber Security Management

HIPAA/HiTECH - Changes on the Way for Covered Providers: The privacy and security landscape for covered providers will soon be changing. A number of rules are finally making their way through the system in relationship to HIPAA, HiTECH and Stage II Meaningful Use. JDSupra, May 9, 2012

Securing the Village

Pentagon to expand cybersecurity program for defense contractors: The Pentagon is expanding and making permanent a trial program that teams the government with Internet service providers to protect defense firms' computer networks against data theft by foreign adversaries. Washington Post, May 11, 2012

Identity-Theft Victims Given Short Shrift by IRS, Says Watchdog: J. Russell George, the Treasury Inspector General for Tax Administration, or Tigta-an official IRS watchdog-today told a Congressional oversight committee that the Internal Revenue Service gives "confusing and often conflicting instructions" to taxpayers who are victims of identity theft. IRS Deputy Commissioner Steven Miller gave testimony before the committee as well. Wall Street Journal, May 8, 2012

FBI Fears Bitcoin's Popularity with Criminals: The FBI sees the anonymous Bitcoin payment network as an alarming haven for money laundering and other criminal activity - including as a tool for hackers to rip off fellow Bitcoin users. ... That's according to a new FBI internal report that leaked to the internet this week, which expresses concern about the difficulty of tracking the identify of anonymous Bitcoin users, while also unintentionally providing tips for Bitcoin users to remain more anonymous. Wired, May 9, 2012

Cyber Defenders

Cybersecurity Firms Ditch Defense, Learn To 'Hunt': The most challenging cyberattacks these days come from China and target Western firms' trade secrets and intellectual property. But a problem for some is a business opportunity for others: It's boom time for cybersecurity firms that specialize in going after Chinese hackers. NPR May 10, 2012

Cyber Research

Cybersecurity Experts Begin Investigation on Self-Adapting Computer Network That Defends Itself Against Hackers: In the online struggle for network security, Kansas State University cybersecurity experts are adding an ally to the security force: the computer network itself. Newswise, May 10, 2012

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog

Mobile Phone Change Time, iPhone or Android or Windows Phone?

noreply@blogger.com (Jeff Snyder) — Tue, 08 May 2012 19:45:00 +0000

I placed a question on LinkedIn 24 hours ago asking people in the telecommunications sector to share their advice. This is a very cool feature of LinkedIn by the way. Within the 9 answers I've received, I've received answers from NYC, Los Angeles, Baltimore, Austrailia, Canada, India, UAE, Netherlands and the UK in 24 hours.

I currently have a Windows desktop machine that runs my life through Outlook. I don't travel that much so I'm usually at my desk and Outlook schedules my world just fine.

My Blackberry phone used to talk to my desktop machine through a direct USB connection. Something went wrong and that relationship and communication isn't good any longer. Not to mention that I can’t stand the little tiny keys at the bottom of my Blackberry.

About a year ago, I stepped into the Apple world for the first time when I purchased an iPad. The idea was to use this device when traveling rather than carrying the much heavier laptop. Not only has the device been outstanding as a travel companion but I’ve found many other business uses for this device.

For example, when I started doing public speaking, a friend showed me the Keynote iPad application and I was off and running with a tool to create presentations. I’ve delivered a couple of presentations now and all I have to do is to show up with the iPad in hand.

My iPad is configured to receive the same email that comes in on my desktop machine. An IT friend came over one night to set up iCloud for me. He promised that in 15 minutes, he’d have my Windows desktop, my Apple iPad and my Blackberry telephone all getting along nicely through Apple’s iCloud.

An hour into his visit, he admitted that there was a problem and he wouldn’t be able to make Apple’s iCloud work in my universe.

In less than 48 hours, Verizon will graciously allow me to sign another 2 year contract with a telephone upgrade. I’m looking for a phone that will integrate with my Outlook calendar. Ideally, this phone would integrate nicely with my iPad as well.

Though I’m appreciative of the 9 people who invested their time to provide answers on LinkedIn, the answers add up to a variety of opinions and no clear answer. I don’t play games on my telephone. In fact, since I make a living on the phone, my phone to me is like a hammer would be to a carpenter. Here are a few of the comments that were shared on LinkedIn:

“I can't speak to how any of them interact with Outlook and Windows. I can tell you that you should NOT get a Droid X2 (Motorola). I have two phones, an iPhone, which I love, and the Droid. There are things I like about the Android system and my hatred of the phone has nothing to do with it not being Apple. It is a horrid phone and the phone "app" crashes all the time, often while I'm trying to make a call. Ugh.” Amy

“Let me guess... You're retiring a Blackberry? With your requirements, I'd say you'll be sorely disappointed with whatever you try. These days, phones don't "play nicely with Outlook on a Windows Desktop" anymore; that's what Blackberry used to do. Instead, they hook into the same Exchange Server (or generic IMAP and CalDAV servers, as the case may be) your Outlook is hooked into. So if you keep your mail and calendar locally and want to sync them via USB or Bluetooth, you'll need to play around with third-party apps, which may or may not work to your liking...” Nick

“Either work well with outlook, but maybe you should look at a windows device if you want nice” Tim

“First, *not* iPhone since you're a security professional, and Apple's "trust us, we've made all the decisions for you, don't bother your little head about security, just enjoy the pretty colors" stance generally doesn't sit well with those. Your clients deserve better (IMHO). Also, while it's possible that your desires exactly match what Apple provides (3.7" screen, can't replace battery, no physical keyboard, no removable storage, etc), it's also unlikely; and at some point, there are so many compromises it's not worth it.

Windows Phone is basically the same thing, just not overpriced. Not sure what you mean "play nice with an iPad". If basic file transfer, anything should be fine.

Which Android? Decide what screen size you want, whether you require a physical keyboard, whether it'll see use as a global phone, whether you might wish to use an extended battery sometime. If you're the impatient type, be sure to get one with zero lag time when responding to commands (dental work ain't cheap). If you want to reduce attack surface, choose one that can be easily rooted (so then you can remove/disable useless cruft). Quad-core, 4G etc, are all technologies to enable game-playing, soap-opera streaming, and other wastes of time; since you don't plan to engage in those, why pay the cost of higher power consumption?” from K

“Look no further, and go for the IPhone, it will automatically sync with your Ipad and Outlook with all your updates, on Contacts, calendar, notes, documents, and media if you want, over icloud. For official emails, you can use Microsoft Exchange, and for personal email you can use, the IPhone email app, which will sync with your email account, are intervals chosen by you. Please click the following link to know more http://www.apple.com/ae/iphone/#icloud

The best thing about an IPhone is the user friendliness of the applications, I have been using an IPhone 4 for more than a year, and it has never crashed, not even once. While the Android devices are cheaper, and they promise you free applications on the Android market, but these applications are not even half as good as the applications available on the iTunes / app store. I have used both the Android and the Apple OS devices, and I personally feel that the IPhone is far ahead of rest of the lot.” Damodhar

BEST ANSWER SO FAR BUT IT MAKES ME WORK!

“Your entire setup looks seriously outdated. Sorry to be the bearer of bad news, but chances are that going forward, you will only see more frustration. The technology has evolved in a way that sort of left your needs unattended. It seems to me (rightly or not -- you tell me) that you have become a part of a small "desktop-centric" minority.

The idea that things are going to revolve around the desktop was very popular a decade or so ago, but things have changed since. The prevailing thinking today is that your content is going to be stored server-side (on premises or "in the cloud", but on a server nevertheless), and you can use multiple client devices (desktops, laptops, phones, tablets) to view it and add to it. Mainstream vendors are no longer concerned with things talking to desktops or Outlook; instead, they make things that talk to servers. Incidentally, the desktop itself is increasingly used to access server-based content, too...

I don't know how comfortable you are with this, pardon the management-speak, "new connectivity paradigm", but that's where the mainstream is. Whether you want to rejoin it is entirely up to you.

As to the iCloud, I am skeptical. Apple is not known for being able to make scalable online applications, so I thought it best to stay away from iCloud. If you're interested, here's the setup I came up with for myself. My mail (with my own domain name) and calendar are hosted on Yahoo! Small Business (before you ask, I settled on it back in 2004, before there ever were such things as Gmail and Google Calendar; plus, unlike Gmail, Yahoo! Small Business doesn't have a cap on storage space). I use a small army of devices (currently, two Windows desktops, three Windows laptops, one Linux desktop and an iPhone) to access it all. If I wanted to add a Mac or a tablet into the mix, it can be done in minutes.

I don't know if you're comfortable with this sort of "server-centric" setup, but in my opinion ("opinion" being the operative word), this is the only way to make your content accessible to multiple devices running on multiple platforms. Reliance on the desktop just isn't going to get you there... “ Nick

HELP!!!

I’m open to suggestions. It seems to me that although I was asking for advice around a mobile phone decision, what Nick is suggesting that I should move my calendar system to a cloud platform such as Google or Yahoo or something similar. This makes sense to me. It just sounds like work I don’t particularly want to do when I have jobs to fill with clients who are screaming for great security talent.

Any thoughts you’d like to share?

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog

Cyber Security News for the week of May 7, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 07 May 2012 17:00:00 +0000

From our friends at Citadel Information Group

Cyber Security Commentary - ISSA-LA 4th Annual Information Security Summit

Nonprofits can attend for free by taking advantage of ISSA-LA's special scholarship fund. Email vp@issa-la.org for more information

I recommend the Summit to both the CIO and their staff because it's the one day you can count on to get informed, learn how to stay informed, and build a network of strong security professionals who are passionate about supporting the "neighborhood watch" of information security.

Jennifer Terrill, CISSP
Vice President Information Technology / CISO
True Religion Brand Jeans

Visit the ISSA-LA Summit Website for more information or to register.

Cyber Crime

Hackers Blackmail Belgian Bank With Threats to Publish Customer Data: Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank does not pay €150,000 (US$197,000) before Friday, May 4, they said in a statement posted to Pastebin. Elantis confirmed the data breach on Thursday, but the bank said it will not give in to extortion threats. PC World, May 3, 2012

Global Payments Breach Window Expands: A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012. KrebsOnSecurity, May 4, 2012

Cyber Crime - HIPAA

SC inspector general analyzing security processes following theft of Medicaid information: COLUMBIA, S.C. - South Carolina's inspector general is reviewing the security systems of state agencies following the theft of more than 228,000 Medicaid patients' personal information, Gov. Nikki Haley said Monday. The Republic, April 30, 2012

Cyber Hacktivists

Hackers plan attack on Russian government sites: The activist hacker group Anonymous said on Friday it planned to attack Russian government websites in order to support opposition protests ahead of Vladimir Putin's inauguration as president. Reuters, May 4, 2012

Cyber Privacy

How to Muddy Your Tracks on the Internet: Legal and technology researchers estimate that it would take about a month for Internet users to read the privacy policies of all the Web sites they visit in a year. So in the interest of time, here is the deal: You know that dream where you suddenly realize you're stark naked? You're living it whenever you open your browser. The New York Times, May 3, 2012

Cyber Risk

Processor Warns of Hacking Trend: Over the past year, First Data, the largest payments processor in the U.S., has seen an uptick in "trolling" - hackers sniffing networks for remote access into point-of-sale systems that are open or loosely protected. BankInfoSecurity, April 30, 2012

Fears of spying hinder U.S. license for China Mobile: WASHINGTON - Concerned about possible cyber spying, U.S. national security officials are debating whether to take the unprecedented step of recommending that a Chinese government-owned mobile phone giant be denied a license to offer international service to American customers. LA Times, May 5, 2012

Malware for Macs Lucrative, Security Researchers Say: Last month, cybercriminals embarked on what quickly became one of the largest-scale malware attacks on Apple computers to date. Their motive was financial: security researchers now estimate that the infected computers made the malware's creators $10,000 a day. The New York Times, May 1, 2012

Cyber Threat

Android Apps Slurp Excessive Data: More than one-third of Android apps request "excessive permissions," giving them access to more data than they require. InformationWeek, May 1, 2012

Snow Leopard hit hardest by Flashback malware: Russian security company Dr. Web recently analyzed one of the latest known variants of the Flashback malware for OS X, and in doing so revealed some interesting statistics regarding the infection rates of the malware - which, by some perspectives, counters criticism of Apple's lapse in attention to security on OS X. Cnet, April 30, 2012

6 Discoveries That Prove Mobile Malware's Mettle: Mobile malware hasn't yet grown to the problematic levels that once plagued Windows PCs back in the days before Trustworthy Computing. That doesn't mean mobile vulnerabilities aren't exploitable, though: Today's security researchers are not only creating and discovering proof-of-concept examples with real-world applicability, but they're finding in-the-wild samples, too. Dark Reading, May 3, 2012

Cyber Vulnerability

The 10 worst Web application-logic flaws that hackers love to abuse: Hackers are always hunting to find business-logic flaws, especially on the Web, in order to exploit weaknesses in online ordering and other processes. NT OBJECTives, which validates Web application security, says these are the top 10 business-logic flaws they see all the time. NetworkWorld, May 3, 2012

Mac Malware Targeting Unpatched Office Running on OS X: Microsoft is reporting that malware is exploiting unpatched versions of its Microsoft Office Word 2000 suite to compromise Apple Macintoshes running Snow Leopard or earlier versions of Mac OS X. eWeek, May 2, 2012

Adobe warns: Flash Player malware hitting IE on Windows users: Adobe has shipped an extremely urgent Flash Player patch to block in-the-wild malware attacks against Windows users. ZDNet, May 4, 2012

Cyber Security Management

8 Reasons Conficker Malware Won't Die: Obstinate. That's how Microsoft has labeled Conficker, which, despite being three years old and targeted for eradication, continues to survive-and even thrive-in corporate networks. InformationWeek, April 30, 2012

Vulnerability Management

Hackers' Favorite Target Last Year Was a Blast From the Past: If you need more proof that users are a weak link in computer security, look no further than today's report from Symantec, which showed that hackers' favorite target in 2011 was a security hole fixed about four years ago. Bloomberg, April 30, 2012

Securing the Village

For Stronger IT Security, Build Relationships, Not Walls: Security leaders put up walls. Firewalls, barriers to entry, ways to control the flow of information. It's what we do. But ironically, to do a better job of protecting our enterprises, we've got to become more open and collaborative. Forbes, May 4, 2012

Cyber Career

Hottest IT Skill? Cybersecurity: Embattled by hactivists, cybercriminals and foreign rivals seeking to steal proprietary information, U.S. corporations are ramping up their hiring of cybersecurity experts, with open jobs reaching an all-time high in April. PC World, May 3, 2012

Cyber Crime Busters

Microsoft says raid damaged cybercrime operation: BALTIMORE - Microsoft and the banking industry Monday provided a detailed, behind-the-scenes account of an operation they said disrupted a major cybercrime operation that used malicious software to allegedly steal $100 million from consumers over the last five years. Fox News, April 30, 2012

Cyber Expose

Flashback malware exposes big gaps in Apple security response: A pair of high-profile malware attacks have given Apple a crash course in security response. Based on recent actions, 70 million current Mac owners have a right to expect much more from Apple than they're getting today. ZDNet, April 29, 2012

Jeff Snyder's SecurityRecruiter.com Security Recruiter Blog

Cyber Security News, Week of April 30, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 30 Apr 2012 14:20:00 +0000

Cyber Security Commentary - ISSA-LA 4th Annual Information Security Summit

From our friends at Citadel Information Group

Join us on May 16 for ISSA-LA's 4th Annual Information Security Summit. Keynote addresses by Alan Paller of the SANS Institute, DHS' Bruce McConnell and business coach Chris Coffey. Perfect for business, technology and information security leaders. Nonprofits can attend for free by taking advantage of our special scholarship fund. Email vp@issa-la.org for more information.

After almost two decades of building and managing technology companies, I can attest to two unmistakable and converging facts. First, the intellectual property, financial data, and other assets of almost every organization are now in electronic format. And second, we are seeing a skyrocketing volume of espionage, theft, and other malicious activity conducted against those electronic assets.

The ISSA-LA Summit provides business leaders with a concentrated, thought-provoking, and valuable education in the nature of these threats, and how organizations can and should mitigate their risks from today's cyber threats. I highly recommend that executives take advantage of this annual event.

Eric Schwab
General Manager
GFI Software

Visit the ISSA-LA Summit Website for more information or to register.

ISSA-LA

ISSA-LA Offers Free Registration Program For NonProfits: The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) has created a donation fund of up to $20,000 to IT employees and executives of nonprofits to attend, at no charge to the attendees, the fourth annual Information Security Summit on Wednesday, May 16, 2012 at Hilton Universal City Hotel in Los Angeles. The theme of the one-day Summit is The Growing Cyber Threat: Protect Your Business, which includes the business of operating nonprofits. DarkReading, April 27, 2012

Cyber Security Management

Mac Flashback Malware Still Going Strong, Security Experts Say: Security experts looking at the Flashback malware that had infected hundreds of thousands of Apple Macs worldwide are trying to come to an agreement over how many of these systems are still compromised by the exploit. eWeek, April 23, 2012

Infected Computers to Lose Web Access When FBI Band-Aid Falls Off: The safety net that federal authorities set up several months ago as a countermeasure to a massive malware scam will be shut down in July. When that happens, computers that are still infected with the malware, known as "DNSChanger," may be completely unable to access the Internet. The FBI and other groups have set up tools to diagnose and mend affected computers. TechNewsWorld, April 23, 2012

One in Five Macs Infected With Malware: Sophos: One in every five Apple Macs is infected with malware, according to a survey by security software firm Sophos. eWeek, April 24, 2012

Cyber Risk - HIPAA

OCR settles HIPAA case for $100k: April 26, 2012 - On April 17, 2012, the United States Department of Health and Human Services Office for Civil Rights ("OCR") reached a settlement with Phoenix Cardiac Surgery ("PSC") for alleged violations of the HIPAA Privacy and Security Rules. chiroeco.com, April 26, 2012

Cyber Crime - HIPAA

Hospitals seeing more patient data breaches: A bi-annual survey of 250 healthcare organizations shows that the percentage experiencing a patient data breach is up. And with the growth in electronic records-keeping, more of those problems are originating from laptops and mobile devices rather than a human slip-up in handling paper documents. NetworkWorld, April 13, 2012

Cyber Criminals

Russia's Million Dollar Hackers: Few nationalities are as good at making money from hacking than the Russians. Their share of the global cyber crime market, an estimated $12.5 billion black market, doubled last year to $4.5 billion, according to Moscow-based Group-IB, a cyber security services firm working mainly with the Russian government and banks to help reduce online fraud. Forbes, April 24, 2012

Refund Tax Fraud, iPhone, Feed Identity Theft By Employees: Last Thursday night, an undercover deputy from the Hillsborough County, Fla. Sheriff's office, acting on a tip, made a street buy. What makes this noteworthy is he didn't buy drugs. Instead, he purchased 33 stolen names, birth dates and Social Security numbers. The Sheriff's office says the seller, Joseph Burden, 29, was found to have 221 names in his book bag and admitted he'd taken them from his employer, Tampa-based ProVest. In an e-mailed statement, ProVest President James Ward says the arrested employee has been placed on leave and that "ProVest takes data security and privacy seriously; numerous precautions are and have been in place to safely guard consumer data." ProVest ironically, specializes in fraud detection, skip tracing and loss mitigation. Forbes, April 24, 2012

Cyber Legislation

House cybersecurity sponsors respond to privacy concerns: Leaders of the House Permanent Select Committee on Intelligence pledged Tuesday to amend their cybersecurity bill, the Cyber Intelligence Sharing and Protection Act, to address the main concerns raised by civil libertarians and privacy advocates. The revisions are clear improvements, and they show that the committee is trying hard to limit the measure's scope. Nevertheless, the bill still has a fundamental problem: By encouraging network operators to share information with the government about what their customers do online, it threatens to turn ISPs and online service providers into snoops. LA Times, April 25, 2012

House GOP dares Senate on cybersecurity: The House is sending a message to the White House and Senate Democrats this week by passing a batch of cybersecurity bills aimed at preventing the digital version of a Pearl Harbor: Not on our watch. Politico, April 25, 2012

Cybersecurity bills aim to prevent 'digital Pearl Harbor': NEW YORK (CNNMoney) - Cybercrime isn't just a threat to your bank account or personal computer - it's an issue of national security.Foreign spies and organized criminals are inside of virtually every U.S. company's network. The government's top cybersecurity advisors widely agree that cyber criminals or terrorists have the capability to take down the country's critical financial, energy or communications infrastructure. CNN, April 23, 2012

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog

Kaspersky: "Apple is 10 years behind Microsoft in security" - Neowin

noreply@blogger.com (Jeff Snyder) — Thu, 26 Apr 2012 19:20:00 +0000

Kaspersky: "Apple is 10 years behind Microsoft in security" - Neowin:

'via Blog this'

Security Jobs: Chief Information Security Officer, Phoenix, AZ

noreply@blogger.com (Jeff Snyder) — Tue, 24 Apr 2012 19:45:00 +0000

Global Chief Information Security Officer, a Converged Security Officer Role

Location: AZ-Phoenix

Compensation: Executive Package, Salary, Bonus, Stock

Relocation: Full Relocation Package

Education: BA/BS Required, Masters Preferred

Certification: CISSP, CISM Preferred

SecurityRecruiter.com has been engaged by a Global $20+ Billion Dollar company that employs in excess of 31,000 employees around the globe to identify, recruit and deliver a Chief Information Security Officer who will guide the company’s information security, compliance and technology risk management strategies into the future. Our clients operations are located in North America, South America, Europe, Asia and Africa.

Overview:

In this role you will be the company’s first CISO and the top security executive in the company. You will oversee and coordinate global security efforts across the company including information technology, human resources, communications, legal, facilities and other groups. You will identify security initiatives and you will set security standards.

To qualify for this role, you will have to demonstrate 10 or more years of experience in and around IT and at least 5 years of experience specifically providing information security leadership in a global company. Our client does business around the globe. Candidates who do not have global experience will not be qualified for this role.

This role reports to a highly accomplished Global CIO. Peers to this position will be Directors and Senior Directors.

Responsibilities:

· Establish direction for a global information security program that is aligned with strategic business objectives.

· Provide leadership to a network of security directors and vendors who are responsible for safeguarding the company’s Assets, Intellectual Property (IP), Computer Systems and the Physical Safety of employees and visitors.

· Identify protection goals, objectives and metrics consistent with the corporate strategic plan and measure the effectiveness of the overall security program.

· Manage the development and implementation of global security policies, standards, guidelines and procedures to ensure ongoing maintenance of security.

· Physical security protection responsibilities will include asset protection, workplace violence protection, access control systems, video surveillance and more.

· Information protection responsibilities will include network security architecture, network access and monitoring, policies, employee education and security awareness and more.

· Work closely with other executives to prioritize security initiatives and spending based on appropriate risk management and financial methodology.

· Work with local, state and federal law enforcement and other related government agencies from a cyber security perspective (i.e. NSA, CIA, FBI, Secret Service, State and Local agencies)

· Oversee Incident Response Planning as well as the investigation of security breaches. Assist with disciplinary and legal matters associated with breaches as necessary.

· Perform other duties as necessary.

Minimum Qualifications

· Requires a BA/BS degree. A Master’s degree is preferred.

· Demonstrate a minimum of 10 years of experience in Information Technology where at least 5 years or experience was focused in Information Security and Risk Management leadership.

· Experience providing security leadership in a global company.

· Demonstrate a collaborative management style.

· Requires an intelligent, articulate and persuasive leader who can serve as an effective member of the senior management team and who is able to communicate security related concepts to a broad range of both technical and non-technical staff.

· Experience with business continuity planning, auditing, risk management and contract and vendor negotiation.

· Established relationships within the law enforcement community.

· A solid understanding of information technology and information security

· Demonstrated ability to lead and mentor teams and to develop skill sets in team members.

Preferred Qualifications:

· CISSP, CISM

· Global experience with Africa, South America and Asia could be a candidate differentiator

Additional Information:

· Occasional travel will be required to global locations

Our client is an equal opportunity, affirmative action employer

Apply For This Job: https://www.securityrecruiter.com/submit_resume_and_profile.php

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog

Special C-Level Invitation to ISSA-LA 4th Annual Information Security Summit

noreply@blogger.com (Jeff Snyder) — Mon, 23 Apr 2012 16:00:00 +0000

Information security is about business. That's why, in 2004, the Business Roundtable said "Information security requires CEO attention in their individual companies." Eight years later, the Business Roundtable's words are more true than ever.

Never before has it been so important for business leaders to learn about the dangers of cybercrime and how to protect their organizations from loss.

As President of ISSA-LA - the Los Angeles Chapter of the Information Systems Security Association - I want to you invite you, your colleagues and your clients to join me and other business leaders at ISSA-LA's 4th Annual Information Security Summit on May 16th at the Universal Hilton. The theme of this year's Summit is The Growing Cyber Threat: Protect Your Business.

ISSA-LA's Information Security Summit provides business leaders with concentrated, thought-provoking, and valuable information on the latest cyber threats, providing actionable insights on steps to take to protect their organizations.

The Summit builds on our tradition of being the only information security educational forum in Los Angeles specifically designed to encourage executive participation.

I'm pleased to provide you a special discount to the Summit. This special discount is available to you, your colleagues and your clients. To register at the discounted price, simply visit the Chapter's special registration page: www.issala.org/4th-annual-summit-registration/, login with the password Summit-4 and use Stan as the "Referral Code."

This year's Keynote Address will be given by Alan Paller, Research Director at the SANS Institute and columnist for Forbes Magazine. Alan has testified several times before both the House and Senate. In 2010 the Washington Post named Alan as one of the seven people as "worth knowing, or knowing about" in cyber security.

This year's Special Keynote Addresswill be given by world renowned leadership coach Chris Coffey. Chris will discuss concepts from his soon-to-be published book Innovative Questions, describing how asking the right questions can be a vital tool in changing perceptions.

In addition to these keynote talks, we will also have a special Executive Panel including David Hallstrom, Security and Privacy Underwriting Director at CNA.

As the founding Chapter of the Information Systems Security Association, an international not-for-profit organization of information security professionals and practitioners, ISSA-LA is changing the dynamics of information security management in Los Angeles. We crossed a significant milestone on April 3rd when I had the pleasure of speaking at the prestigious Jonathan Breakfast Club.

For more information on the Summit, please visit ISSA-LA's website: www.issa-la.org.

I encourage you to join me, your peers and industry leaders on May 16th at the Universal Hilton Hotel in Universal City.

Thanks in advance for forwarding this email to your colleagues, clients and other associates so that they can also take advantage of this special discount opportunity.

Cheers -

Stan Stahl, Ph.D.

President

ISSA-LA

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog

Cyber Security News for the Week of April 23, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 23 Apr 2012 14:00:00 +0000

From our friends at Citadel Information Group

Cyber Security Commentary - ISSA-LA 4th Annual Information Security Summit

Join us on May 16 for ISSA-LA's 4th Annual Information Security Summit. Keynote address by Alan Paller. Special keynote address by Chris Coffey. Perfect for business, technology and information security leaders.

Jennifer Terrill, CISSP
Vice President Information Technology / CISO
True Religion Brand Jeans

Visit the ISSA-LA Summit Website for more information or to register.

Cyber Crime

Thieves Replacing Money Mules With Prepaid Cards?: Recent ebanking heists - such as a $121,000 online robbery at a New York fuel supplier last month - suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules. KrebsOnSecurity, April 13, 2012

Cybercriminals Check In At Hotel Point-Of-Sale Systems: Cybercrime gangs are increasingly finding hotel point-of-sale systems hospitable to attack: Researchers have spotted a new remote access Trojan (RAT) tool for sale in underground forums that targets hotel computers at a global hotel chain. Dark Reading, April 19, 2012

Cyber Vulnerabilities

Flashback Malware Still Affects 140,000 Macs: Apparently not all Mac users got the memo about Flashback, the malware that recently infected more than 600,000 computers running OS X. According to security firm Symantec, roughly 140,000 Mac computers were still infected as of April 16. CIO, April 18, 2012

Google Warns 20,000 Websites They Could Be Infected with Malware: Google has warned 20,000 websites that they might be hacked and injected with JavaScript redirect malware, Google said. CIO, April 19, 2012

The malware numbers game: how many viruses are out there?: How many distinct strains of malware are in circulation today? If you said hundreds of thousands or millions, you're way off. A close look at numbers from one leading security company helps explain why some big numbers don't tell the whole story. ZDNet, April 15, 2012

Cyber Security Management

Three Security Snags That Expose The Database: Insecure Web apps, no linkage to IAM, and poorly configured segmentation all contribute to database vulnerability. Dark Reading, April 19, 2012

The Benefits Of Top-Down Security: While enterprise-level breaches often get the attention of C-level suite executives and the members of their IT staff, industry research shows it actually falls to rank-and-file employees to apply best practices and exercise sound judgment in order to properly contain them. Dark Reading, April 18, 2012

Board: Protect medical devices from cybercrime: Medical devices such as insulin pumps are at increased risk of cybersecurity breaches, which puts millions of patients at risk of significant harm, warns the Information Security and Privacy Advisory Board (ISPAB). FierceHealthIT, April 16, 2012

Enterprise Networking: Data Security in the BYOD Era: 10 Big Risks Facing Enterprises: Rogue and shadow IT have been problems for data and network security and compliance officers for a long time, but the rising number of bring-your-own-device (BYOD) proponents is threatening to become a much larger overall issue. Most organizations do not have the tools to ensure security of their data on just any device, especially when those devices will be by definition either partially or totally unmanaged. In addition, organizations are grappling with the challenges these pose for the enterprise network. Traditional security technologies that rely on endpoint security, configuration management, or establishing and controlling a network perimeter are ill-suited for a BYOD-friendly company, prompting CIOs to turn to more innovative, data-centric approaches as they come to terms with losing control of access to sensitive data. And make no mistake: 2012 is all about control of data. Our expert resource for this slideshow is Ryan Kalember, vice president of strategy at WatchDox, which enables organizations to access, share and control their documents on any tablet, smartphone or PC-even those beyond the IT department's control. eWeek, April 17, 2012

Securing the Village

America's cyber czar speaks: Howard Schmidt, special assistant to U.S. president Barack Obama and White House cybersecurity coordinator, appeared this morning before a group of executives gathered at Bloomberg's New York headquarters to discuss his goals, challenges and hopes for American cybersecurity. ZDNet, April 20, 2012

Microsoft Responds to Critics Over Botnet Bruhaha: Microsoft's most recent anti-botnet campaign - a legal sneak attack against dozens of ZeuS botnets - seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations. KrebsOnSecurity, April 18, 2012

Cyber Crime Economics

The Cybercrime Wave That Wasn't: In less than 15 years, cybercrime has moved from obscurity to the spotlight of consumer, corporate and national security concerns. Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved; annual loss estimates range from billions to nearly $1 trillion. While other industries stagger under the weight of recession, in cybercrime, business is apparently booming. The New York Times, April 14, 2012

Hacktivists

Anonymous Must Evolve Or Break Down, Say Researchers: The movement started as an Internet meme and grew into a complex and chaotic community. Security experts argue that the Anonymous brand is now in danger of imploding. Dark Reading, April 19, 2012

Cyber Legislation

House committees approve 2 cybersecurity bills">House committees approve 2 cybersecurity bills: Two cybersecurity bills were approved by House committees on Wednesday. Those bills - as well as a third cybersecurity bill - are expected to be considered on the House floor as soon as next week. Federal Times, April 18, 2012

Cyber crime official optimistic on new legislation: The Obama administration's top cyber security official says companies would not be unduly burdened by a Senate bill that would phase in security standards for key parts of the country's privately held infrastructure. Chicago Tribune, April 16, 2012

New CISPA Draft Narrows Cybersecurity Language as Protests Loom: The U.S. House Intelligence Committee has released a new draft of the Cybersecurity Intelligence Sharing and Protection Act (CISPA), narrowing the definition of "cybersecurity threat" in response to alarms being sounded throughout the technology community. Mashable, April 14, 2012

Jeff Snyder’s SecurityRecruiter.com Security Recruiter Blog

Security Jobs: Director of Information Security & Compliance, Palo Alto, CA, Relocation: YES

noreply@blogger.com (Jeff Snyder) — Mon, 23 Apr 2012 02:49:00 +0000

Yes, I have shared this position in my blog before. Late last week, a couple of candidates were granted phone interviews for this position. They came up short in the interview process. Not because they did anything wrong but because my client determined after talking to a couple of candidates that he has to see candidates who have experience in a hosting environment.

As our conversation progressed, it became very clear to me that a security professional who is managing information security for a traditional IT department does not operate in the same manner as a security professional who is working to secure a hosting, SaaS, PaaS, IssS environment.

To acquire this position, a candidate will have to demonstrate experience in a hosting environment and they’ll have to demonstrate the ability to come up with out-of-the-box innovative solutions.

Feedback from the candidates who have been on the phone with my client suggests that he is a very intelligent person who has outstanding soft skills. Everybody who has been on this phone with this client of mine finds themselves being excited about the idea of having my client as a boss.

Director, Information Security and Compliance

Location: CA, Palo Alto

Relocation: Yes

Compensation: Mid $100s

SecurityRecruiter.com has been engaged to help build an information security / cyber security department in a high-tech company where protecting their systems and intellectual property is taken seriously. This company of 400 employees has recently gone public and is in a solid position for continued growth.

Reporting:

This role reports to a Sr. Director whose career has followed a deeply technical information security career path. He understands the work you’ll be doing for this company. In recent years, this Sr. Director’s path looks like a technical / business intersection. If you’re passionate about technology and you’re ready to work for and with people who are prepared to mentor and coach you to the next level in your career, this could be your next career move.

The Opportunity:

This newly created role exists as a result growth and as a result of this company having recently gone public. This is an opportunity to build a cyber security program from the ground up. You’ll work closely with internal lines of business as well as with external customers. As a result of your deep information security foundational background supporting your security expertise, you’ll likely be called on to support the sales team to attest to the company’s security structure during the sales process.

ISO certification could be in this company’s future but whether it is or not, programs are being built on an ISO framework. You’ll need to bring depth and breadth in Regulatory Compliance experience on top of a technical information security background to qualify for this role. If you have this experience, you’ll be relied on to build a Compliance Program.

Requirements:

• Information Security professional possessing over 12 years of information security related experience.

• A BS/BS degree is desirable.

• Demonstrate a deep understanding of SaaS (Software as a Service), PaaS (Platform as a Service) or IaaS (Infrastructure as a Service) from either working in a hosting environment in the past or working with hosting companies where they were your customers.

• Demonstrate a deep working knowledge of compliance and regulatory environments such as SOX, ITIL, SAS70, ISO 27001 / 2:2005 and SSAE 16. A deep level of ISO framework understanding is required.

• Desirable candidates will likely have progressed through Security Engineer, Security Analyst, tiles to become Risk Management / Compliance specialists.

• Prior experience conducting vulnerability assessments / security assessments is desirable.

• Knowledge and/or have worked in an environment where the company has developed software; possesses knowledge of Agile & Scrum methodologies desirable.

• Ability to provide risk assessments and solutions options on technology architecture in a dynamic environment.

• Deep understanding of all things security such as: security operations; logging & monitoring; incident response; vulnerability management; and configuration management as it applies security and regulatory compliance requirements.

• Possess outstanding customer-facing skills including the ability to discuss and evaluate customer security requirements and map them to internal standards.

• Ability to be cross-functional with various teams within the company and have the ability to relate security requirements to these various teams.

• Certifications such as the CISSP, CISA, CISM, CRISS or others appreciated.

SecurityRecruiter.com's Security Recruiter Blog

Verizon's Stratton: The Future Of IT Is Mobile And Cloud - Forbes

noreply@blogger.com (Jeff Snyder) — Thu, 19 Apr 2012 16:55:00 +0000

Verizon's Stratton: The Future Of IT Is Mobile And Cloud - Forbes:

'via Blog this'

The Cargo Ship

One of my current clients is an East Coast global Fortune 50 company that produces over $50 Billion in yearly revenue. This company employs nearly 400,000 people worldwide. By all accounts, this is a very successful company and their stock is one you’d likely want in your portfolio for long-term consistent returns. Working with this client requires a significant amount of patience from me and from the security job candidates I put in front of the organization because they’re in no hurry to do anything and the decision makers I’ve encountered to date are in no hurry to take action even though the world outside their company walls is changing rapidly. Think of this company as an ocean going cargo ship. It moves at a slow and steady pace and definitely gets to where it is going but it doesn't turn on a dime.

The Speed Boat

On the West Coast of the United States, I'm working with a company of 400 people that recently went public. In this environment, there are no mainframes, no legacy systems and very little bureaucracy as far as I can see. My point of contact in this company is very intelligent. He moves quickly, takes action when action needs to be taken and is decisive. This company is a Software as a Service (Saas), Cloud Computing environment that is full of innovative game changing minds. Think of this type of this company as a speed boat. It moves fast, is nimble and has the ability to turn on a dime.

Cloud Computing and Mobile

As I've written in previous blogs, my habit of reading an article or two every day tends to kick my mind into gear first thing in the morning and causes me to think. Today's Forbes article is full of someone's opinions and ideas around Mobile and Cloud Computing, topics that I’m deeply interesting in tracking and learning more about.

I don't know if the article’s opinions are all right or not buy my gut tells me that there is truth in this article. I make this statement based on my personal experience recruiting talent for a fast moving cloud computing company. They’re building game-changing solutions. Assuming that there are many cloud computing / mobile solution developers out there, the game really is about to change.

Job Change or Career Move

Before you start looking for your next security job or better yet, before you consider your next security career move, I suggest that you put significant thought energy into determining what kind of corporate culture and corporate business model represents your best fit. If you need help to reach this point of clarity, get help!

Best Fit

What do you get when you step into a job that aligns with your best fit?

· Significantly increased job satisfaction

· You’ll find energy, creativity and innovation that might not have been bubbling to the surface previously

· You’ll work around people who will stimulate and motivate your best work

· You’ll find employment that you’ll likely not want to leave anytime soon

These are just a few ideas that come to mind.

At this moment, I have virtually the same jobs to fill with the Cargo Ship Company and with the Speed Boat Company. The same technical skills will qualify a security professional to step into either company.

In either case, the security professional who has the desired application security skills CAN do the job. Making a “CAN DO” decision will generate a job change. Making a “SHOULD DO” decision is much more likely to generate a strong career move.

Can Do, Should Do….What’s the Difference?

As part of my Security Career Coach activities, I help my clients to find clarity around the topic of what they “Should Do” rather than settling for what they “Can Do”.

I’ve built a process with several steps that takes my clients from the “Can Do” state of mind to the “Should Do” state of mind. Frequently, after my client’s discover clarity around what they “Should Do”, the next step is to build a security resume that is razor sharp, crystal clear and is aligned with the individual’s personal mission.

Just Yesterday

Yesterday, I debrief a security professional who interviewed with my Speed Boat client. This individual also happened to be one of my Security Career Coach and Security Resume Writing clients. As I listened to the candidate tell me about his phone interview, an interview that was set up in less than 5 minutes once my client saw this candidate’s clear and sharp resume, I heard a level of excitement I’d never before heard in this candidate’s voice.

I placed this person 5 years ago so I have significant experience with this individual and I know how to read him. He would tell you that.

One day he’ll write up his story for me to share with you but for now, I’ll tell you that this candidate shared with me that he has never before stood in front of his “dream job”. He has settled for exchanging his time for money up to this point in his 25 year career. Yesterday, he believed he had just found his “dream job”, his “Should Do” situation.

Now we wait to find out what my client thinks.

Conclusion

Find the work you “Should do” and you may not feel like you’re going to work any longer.

Who Wrote This Security Recruiter Blog?

Jeff Snyder, certified by The Marshall Goldsmith Group as a Stakeholder Centered Coach and certified by Executive Coaching University as a Certified MasterMind Executive Coach. 719 686 8810

Business Etiquette: 5 Rules That Matter Now | Inc.com

noreply@blogger.com (Jeff Snyder) — Wed, 18 Apr 2012 18:29:00 +0000

Business Etiquette: 5 Rules That Matter Now | Inc.com:

'via Blog this'

Most mornings, I start my day with a fresh article or two. If I don't read before getting on the phone and dealing with my Inbox, I don't get to read at all. I know that anyone who reads my Security Recruiter Blog can get to the same articles I get to on-line but I also assume that sometimes I come across articles the line up with the business side of security professional's career development that security professionals might not see when they are pursuing articles that are more technically focused.

Thank You

On several occasions, I've written articles talking about business etiquette topics. The "Thank You" topic is one that doesn't get enough attention in our current digital age. This week, I've sent out two hand-written thank you notes to clients who invested time with me late last week.

How do I know that this is the right thing to do? Because I've been sending hand-written thank you notes for years. I've had multiple experiences where after receiving my hand-written thank you note, I've received a call or an email from the recipient of my note actually thanking me for my thank you note. I know that was tough to follow that is what has actually happened to me.

If you want to stand out from your peers in an interview process, consider using a hand-written thank you note. If you want to stand out form your peers in the general day-to-day process of creating business relationships, consider a hand-written thank you note. You'll be swimming upstream and you'll be remembered as the person who stood out in a good way.

Here is what a hand-written card that I received recently said:

Hello Jeff,
I'm not sending this thank you note because you suggested it. More so, because you deserve it. I appreciate your help with my resume and the time you give up freely when I call. I am certain that you are a large part of the reason why I obtained my position @ CITRIX.

Thanks!

Manny

What's the big deal with hand-written thank you notes ?

This is the 4th hand-written thank you note I've received in the past decade. I've received various forms of thank you in electronic form but it is the hand-written notes that really stand out in my mind. If you asked me to tell you who sent hand-written notes and what those notes said, I could tell you precisely who sent notes to me and what they said.

These people chose to paddle upstream and they made themselves stand out in a positive way.

Confirmation of my Theory:

A recent conversation with a CISO whom I believe to be one of the top CISOs in Southern California turned into a discussion about business etiquette. When I run into top performers in the security, risk, compliance and privacy professions, I'm always keenly interested to find out what makes these top performers stand out.

In the case of this CISO, he told me that he spends a significant amount of time teaching his staff that they are there to serve the business in his financial services firm. He talked in great detail about teaching his staff to function with business etiquette that is not normally found in business today. He talked about teaching his team to do the little things that are often overlooked.

The result for this CISO is exceptionally high performance review ratings for himself and for his entire team.

This CISO went so far as to challenge me to write an article about the topic of saying thank you. Enough said!

Jeff Snyder's SecurityRecruiter.com Security Recruiter Blog

5 Tips for Managing Millennial Employees | Inc.com

noreply@blogger.com (Jeff Snyder) — Tue, 17 Apr 2012 00:41:00 +0000

5 Tips for Managing Millennial Employees | Inc.com:

'via Blog this'

Helpful ideas for security managers whose staff is varied in age. You don't manage Baby Boomers Gen X the way you manage Millennial employees.

Please comment if you have ideas that oppose this INC. article or ideas that add to this article.

Thanks,
Jeff Snyder
SecurityRecrutier.com

Cyber Security News of the Week for April 16, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 16 Apr 2012 21:10:00 +0000

Cyber Security News of the Week

From our friends at Citadel Information Group

Join us on May 16 for ISSA-LA’s 4th Annual Information Security Summit. Keynote address by Alan Paller. Special keynote address by Chris Coffey. Perfect for business, technology and information security leaders.

Information security is here. It’s now. And while we see stories in the paper about problems, there is little information about what we as business leaders need to do. I have been impressed with what i have learned from attending the ISSA-LA Summit. I have gained important knowledge about protecting my business. And about the competitive advantage I achieve when I protect my customers’ sensitive information. Leading edge Information security requires everyone in your organization to get involved, to work together as a team. This takes leadership. This is what the Summit is all about. By attending yourself and bringing one or two members of your team you will leave with actionable insights. No group understands information security like ISSA-LA. That’s why I’m going to Summit IV and that’s why I recommend ISSA-LA’s Information Security Summit to my clients. We are fortunate to have this organization gathering so many experts together. It is a not to be missed opportunity.

Tom Drucker

PresidentConsultants in Corporate Innovation

This week's Cyber Security News has a special feature. That special feature is an announcement of ISSA-LA's 4th Annual Information Security Summit. I've been told by one of ISSA-LA's officers that the speaker line-up for this year's summit is outstanding.

On a personal note, I strongly endorse Chris Coffey's presentation, I know Chris personally as he was my coach and instructor by way of the Marshall Goldsmith Group. Chris' signature is one of three at the bottom of my Stakeholder Centered Coaching certification.

Hearing Chris Coffey speak would be worth the price of admission.

Visit the ISSA-LA Summit Website for more information or to register.

Utah breach 10X worse than originally thought: The scope of a data breach involving a Medicaid server at the Utah Department of Health is much worse than originally thought. State officials now say that close to 280,000 Social Security Numbers may have been exposed in the incident instead of 25,000, as originally believed. ComputerWorld, April 9, 2012

Checking for Mac Flashback infestation? There’s an app for that: Our post from Friday about how to check your Mac for a Flashback malware infection has been wildly popular so far. And with good reason, too, since a second security firm has now backed up the numbers indicating that more than half a million Macs have been infected. That’s slightly more than 1 percent of all 45 million Macs in the world—still a relatively small number, but a worrisome one for Mac users, as the tally of infected machines continues to grow. ars technica, April 9, 2012

Criminals Hide Malware in Version of ‘Angry Birds: Space’: A version of the hit game Angry Birds: Space that’s been seeded with malware has been discovered in the wild, although only the adventurous may risk being infected. PC Magazine, April 12, 2012

HP’s Malware-Laden Switches Illustrate Supply Chain Risks: Hewlett-Packard is trying to figure out what happened as the technology giant warned customers that some of the HP ProCurve switches shipped last year contained malware-laden flash cards. PC Magazine, April 12, 2012

Has Security Bloom Fallen off the Rose for Macs?: Dr. Stahl is quoted extensively in this story. For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics. Apple is under increasing pressure to take preventative security measures by cyber experts in the wake of 600,000 malware-infected Macs. The Biz Coach, April 11, 2012

Conversations On Cybersecurity, Part 4: Effective Protection: Alan Paller, Research Director, SANS Institute: When we last left the attorneys, they had asked what they could do to stop the targeted attacks that the Chinese and other competitors used in industrial espionage. Forbes, March 5, 2012

Data Security: Who’s Winning the Cyber War?: Data security has long been a priority for financial services firms. But a wave of very public cyber attacks by international hacker groups such as Anonymous, combined with an already distrustful public following the financial crisis, has forced financial services firms to step up their network security to prevent data breaches and regain clients’ trust. While victims of some of the more notable attacks and data breaches of 2011 were large consumer companies and government agencies — including Sony, PBS, the U.S. Senate, and even the CIA and FBI — security experts say financial services firms, traditionally a popular target of fraudsters, are increasingly a target of criminal hackers. Wall Street & Technology, April 9, 2012

World renowned executive and leadership coach Chris Coffey will be a featured speaker at the Los Angeles Chapter of the Information Systems Security Association’s (ISSA-LA) fourth annual Information Security Summit on Wednesday, May 16, 2012 at Hilton Universal City Hotel in Los Angeles. The theme of the one-day Summit is The Growing Cyber Threat: Protect Your Business. PRLog, April 12, 2012

Adobe, Microsoft Issue Critical Updates: Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader.KrebsOnSecurity, April 10, 2012

Apple’s Flashback malware remover now live: Apple this afternoon released an integrated tool to remove Flashback, malware designed to steal user information that was estimated to be present in more than half a million machines just last week. Cnet, April 12, 2012

FBI: Smart Meter Hacks Likely to Spread: A series of hacks perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. The law enforcement agency said this is the first known report of criminals compromising the hi-tech meters, and that it expects this type of fraud to spread across the country as more utilities deploy smart grid technology. KrebsOnSecurity, April 11, 2012

Stuxnet Loaded by Iran Double Agents: The Stuxnet virus that damaged Iran’s nuclear program was implanted by an Israeli proxy — an Iranian, who used a corrupt “memory stick.32,” former and serving U.S. intelligence officials said.ISSSource, April 11, 2012

House to take up cybersecurity bill with revisions: (Reuters) – The U.S. House of Representatives will take up a cybersecurity bill at the end of April that lets the government and corporations share information about hacking attacks on U.S. networks, with amendments intended to ease civil liberties concerns, lawmakers said on Tuesday.Reuters, April 11, 2012

Jeff Snyder's SecurityRecruiter.com Security Recruiter Blog

Security Jobs: Information Security Architect, Phoenix, AZ

noreply@blogger.com (Jeff Snyder) — Mon, 16 Apr 2012 17:30:00 +0000

Information Security Architect

Location: AZ-Phoenix

Compensation: $100,000 - $115,000 Base Range, Strong Bonus

Relocation: Yes

Education: BA/BS, Masters Preferred

SecurityRecruiter.com has been engaged by a global client to help build its information security department. This Security Architect role is a newly created position and is an addition to a growing information security department. This role is not just focused on network domain. It requires a security architect who can design end-to-end solutions.

This role is reserved for an information security professional who desires to step into a green field environment where they can put their fingerprints all over all facets of information security. In this role, whatever you do today will be foundational and formational to the future of the organization. To acquire this role, you must demonstrate an eagerness to learn and to build, you must be flexible and able to deal with change.

The security professional who assumes this role will:

• Evaluate security technologies to recommend upgrades to the organization’s security needs.

• Assess the organization’s technology needs. Set direction and lead improvement of techniques, methodologies and deliverables.

• Create solutions and support models for technology encompassing multiple platforms.

• Create short-term and long-term enterprise system technology roadmaps based on organizational strategic requirements and business needs.

• Use metrics to improve processes. Define and review reports to ensure all services are delivered successfully.

• Work closely with information systems teams and outsourcing partners to ensure that technology solutions are effectively delivered.

• Ensure a thorough analysis of service results and respond to any escalated service delivery issues.

Requires:

• A BA/BS in Computer Science, Information Systems or related field.

• 8 or more years of experience in information technology with at least 5 years of experience working with information security systems technologies.

• Demonstrated understanding of infrastructure design and support concepts.

• Information security certifications such as: CISSP, MCSE: Security, CCSP and/or other vendor specific certifications

• Demonstrated experience with information security architecture protocols to include Web Services, SOA, HTTP(s), SNMP, etc.

• Experience with Microsoft platforms is strongly preferred.

• Experience with secure coding / secure software development / application security practices.

• Experience with threat modeling, vulnerability assessments, network and server security, firewalls, VPN, Anti-Virus, Patch Management, etc.

• Experience with FIPS, Common Criteria, etc

Phoenix Security Jobs, Phoenix Security Architect Jobs, Information Security Jobs in Phoenix

LinkedIn Linking Strategy, a Few New Thoughts to Share

noreply@blogger.com (Jeff Snyder) — Wed, 11 Apr 2012 20:10:00 +0000

Just as LinkedIn participation grows exponentially around the globe, so does my personal network. It has been fascinating over the years to see my own personal network expand to reach security professionals and other business professionals around the globe.

My LinkedIn network is just about to top the 28,000 direct connection mark. I’ve been paying more attention to who is sending LinkedIn invitations to me lately. I’m getting bombarded with invitations from recruiters and I’m starting to see a lot of invitations from people whose profiles are set up as companies as opposed to individuals.

I have thousands of recruiters in my network already so I don’t think I have room for more recruiters. This is just a fact and a choice. What is bothering me are the invitations from people whose names don’t appear but their company does.

I don’t want to connect to companies. I want to connect to people with whom relationships can be built.

For example, a LinkedIn invitation just arrived from a security leader in San Francisco. In addition to acknowledging the fact that I appreciate her invitation, I also shared a job description for a $170K position I’m working on at the moment in Palo Alto. It is a Director of Information Security and Compliance.

For somebody in the Bay Area, this position represents the next logical step in their personal career progression. I shared the position and my new connection politely sent back this note.

I have a candidate in mind. Will forward and see if they are interested.

To me, this is what LinkedIn is all about. It isn’t all that LinkedIn is about but this is the kind of networking that is appropriate for me and for my new security skilled connection. If she passes my search on to one of her Bay Area peers and that person appreciates the job I’m working on, this network will most definitely bring value to someone’s career.

Okay, enough of my random thoughts. I’ve been thinking about writing this for a while as I see more and more invitations from companies rather than individuals.

If you are a security professional, come join me on LinkedIn. If you are a business leader of any kind, I'd enjoy sharing my network with you. I’ve been an OpenNetworker for a long time. I think it might be time to become a Semi-OpenNetworker or something like that

Jeff Snyder, SecruityRecruiter.com Security Recruiter Blog

An Introvert's Guide to Networking - Lisa Petrilli - Harvard Business Review

noreply@blogger.com (Jeff Snyder) — Wed, 11 Apr 2012 17:05:00 +0000

An Introvert's Guide to Networking - Lisa Petrilli - Harvard Business Review:

'via Blog this'

I have a feeling that somebody in my Security Recruiter Blog audience might appreciate reading this article on Networking for Introverts. As a recruiter, I completely agree with the author's suggestion that learning to network is not negotiable.

You don't have to be the life of the party or the loudest person in the room to build strategic relationships. When I encounter a new group of people as I recently did at an ISSA Advisory Board Meeting, my first instinct is to listen. I want to know who my audience is before I speak. This isn't so much a planned maneuver as much as it is a natural tendency.

If you've read my prior blogs, you'll know that in the past 6 months, I've had several experiences where I was on the stage delivering public speaking. Do I live for being on the stage to deliver a message? No I don't. What I am passionate about is delivering the message and I'm just as happy to deliver the message in written form or on the phone.

Whatever holds you back from reaching out to others can be overcome. Again, I'm not suggesting that an introvert can or should turn into an extrovert. What I am suggesting that strategic bursts of reaching out to others to build relationships can significantly impact a security professional's career.

Jeff Snyder, SecurityRecruiter.com Security Recruiter Blog

SINET, a Powerful Collaborative Platform Fighting 2012: The Year of the Cyber-Pandemic | Firestorm Blog

noreply@blogger.com (Jeff Snyder) — Tue, 10 Apr 2012 15:51:00 +0000

SINET, a Powerful Collaborative Platform Fighting 2012: The Year of the Cyber-Pandemic | Firestorm Blog:

'via Blog this'

An interesting article if you've ever wondered how social media, security and privacy intersect.

Cyber Security News For The Week of April 9, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 09 Apr 2012 17:10:00 +0000

Cyber Security Commentary

From our friends at Citadel Information Group

Myths die hard. This week the death knell sounded for the myth of Macintosh security. Users can no longer naively claim that they don't need to be concerned with security because they use a Macintosh.

All complex software has vulnerabilities which cybercriminals are only to happy to exploit. This is true of Mac OS X just as it's true of Windows. It's cold comfort that this particular vulnerability surfaced in Java-so well known as a source of attack exploits that we recommend users disable it. The lesson we need to take away from the Mac OS X story is humility in the face of software complexity.

In the 1980s I was a staff security engineer at TRW when my manager gave me a piece of wisdom that applies to the myth of Mac security. "There are three kinds of knowledge," he said. "There's what you know that you know you know. There's what you don't know that you know you don't know. And there's what you don't know that you don't know that you don't know."

It's this third category that is most dangerous-what we don't know that we don't know we don't know. This-our hidden ignorance-is what gets us into trouble. Believing the myth of Mac security-jumping to the conclusion that Macs are secure because we don't know about their insecurities-is dangerous because the myth keeps us from taking the actions necessary to protect sensitive information on our Macs.

We run across a lot of myths about cyber security management in our work with clients, in our workshops and in our cyber security briefings. There is the myth that IT can effectively manage cyber security; that senior management doesn't need to get involved. There is the myth that antivirus and anti-malware solutions provide sufficient security. There is the myth that "we have nothing of interest to a cyber criminal." And the most dangerous myth of all-that we can be secure if we simply do A, B and C, whatever A, B and C happen to be. It is these and other myths that keep us from being open to what we don't know that we don't know we don't know.

Myths are not always dangerous. As a child I was enthralled with the myths of the Greek and Roman gods; their stories formed the backdrop for a significant part of my moral education.

Myths become dangerous when we inappropriately apply them to real-world circumstances where they don't apply. They become dangerous when they keep us from exploring that which we don't know we don't know.

When it comes to cyber security management, myths are particularly dangerous. Our greatest security weakness-our greatest vulnerability-lies in the security myths we believe.

That's why this week's stories of more than 600,000 Macs infected by the Flashback malware is so important, for it serves as a warning about the dangers of all cyber security myths.

Cyber Crime

European hackers suspected in Utah Medicaid files breach: SALT LAKE CITY (Reuters) - A data security breach at the Utah Health Department, believed to be the work of Eastern European hackers, has exposed 24,000 U.S. Medicaid files bearing names, Social Security numbers and other private information, state officials said on Wednesday. The Chicago Tribune, April 4, 2012

Worker error exposes Utah Medicaid clients to hackers: A mistake by a state employee allowed hackers - suspected by state officials to be located in eastern Europe - to gain access to more than 24,000 files submitted to the Utah Department of Health for Medicaid recipients. The Salt Lake Tribune, April 4, 2012

Global Payments: Rumor and Innuendo: Global Payments Inc., the Atlanta-based credit and debit card processor that recently announced a breach that exposed fewer than 1.5 million card accounts, held a conference call this morning to discuss the incident. Unfortunately, that call created more questions than it did answers, at least for me. The purpose of this post is to provide some information that I have gathered, and a few observations about the reporting on this breach so far. KrebsOnSecurity, April 2, 2012

Global Payments Data Breach Exposes Card Payments Vulnerability: Cardholders around the world received a shock late last week when Global Payments Inc. announced a breach in its card data processing system. [1] After all, the company is one of the biggest processors of Visa and MasterCard card transactions, and also processes a sizable number of transactions for Discover Financial and American Express. Forbes, April 3, 2012

Cyber Threats - Mac OS X Java

How to remove the Flashback malware from OS X: While OS X was relatively void of malware for the first 10 years of use, recently malware scares have cropped up that have affected a significant number of Mac systems. Cnet, April 5, 2012

Widespread Virus Proves Macs Are No Longer Safe From Hackers: For years, Mac users have been told that not only are they cooler than their PC counterparts, they are safer too. Apple has always held that computer viruses and malware only dogged its competitors. That is no longer the case. The New York Times, April 6, 2012

Urgent Fix for Zero-Day Mac Java Flaw: Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems. KrebsOnSecurity, April 4, 2012

Over 600,000 Macs infected with Flashback Trojan: Summary: The Flashback Trojan botnet reportedly controls over 600,000 Macs. Thankfully, Apple yesterday released a patch for Java, which the Trojan exploits, so make sure you install it. ZDNet, April 4, 2012

Apple patches 3-month-old Mac OS X security flaw: Days after a serious malware threat to Mac OS X was discovered, Apple finally patched the three-month-old security flaw that made it possible. MSNBC, April 4, 2012

Cyber Threats

Security hole exposes Android, iOS to Facebook identity theft: A new security vulnerability discovered in Facebook for Android and Facebook for iOS means your Facebook identity can be stolen if you use an Android phone, Android tablet, iPhone, and/or iPad. ZDNet, April 5, 2012

Cyber Criminals Targeting High-Profile Brands and Keywords to Undermine Users: GFI Software recently released its VIPRE® Report for March 2012, a collection of the 10 most prevalent threat detections encountered during the last month. GFI Labs documented several spam attacks and malware-laden email campaigns infiltrating users' systems under the guise of communications purporting to be from well-known companies and promotions for popular products and services. Google™, LinkedIn®, Skype™ and the video game Mass Effect™ 3 were among the brands exploited by cyber criminals in order to attract more victims. IT BusinessEdge, April 2012

Ice IX Malware Tricks Facebook Users Into Exposing Credit Card Details, Says Trusteer: A new configuration of the Ice IX malware attempts to trick its victims into exposing their credit card details when they try to access their Facebook accounts, according to security firm Trusteer. PC World, April 3, 2012

Cyber-Criminals Change Tactics as Network Security Improves: IBM in its X-Force security report for 2011 said security efforts have cut spam and improved vulnerability patching, but attackers are now targeting mobile devices and the cloud. CIO Insight, March 23, 2012

Social Media Companies Contribute to Cybercrime: Cybercrime is an everyday problem that threatens business operations and causes large out-of-pocket expenses for individual and corporate victims alike. Although statistics regarding the actual cost of cybercrime vary, the incidence of cybercrime has climbed steadily over the past decade. The 2011 Norton Cybercrime Report claims that more than one million people become victims of cybercrime every day, and it estimates the financial cost of cybercrime is larger than the combined global black market for cocaine, heroin, and marijuana. Forbes, March 14, 2012

Cyber Security Management

Encryption in 2012: Now a strategic business issue: In an increasingly digital world, information security and data privacy have become critically important to the enterprise. According to the 2011 Global Encryption Trends Study from Ponemon, encryption use to protect sensitive data is becoming widespread and strongly correlates to the overall strength of organization's security posture. So much so that encryption is now viewed as a strategic business issue, a far cry from when it was a niche technology and solely the concern of the IT department. ZDNet, April 4, 2012

Grant Thornton survey reveals Chief Audit Executives most worried about cybersecurity risks: CHICAGO, Mar. 19, 2012 - Chief Audit Executives (CAEs) ranked cybersecurity as their #1 concern in emerging risks, according to a new survey by Grant Thornton LLP. Mobile technology was their second biggest concern, followed by business interruption and social media. While more than half (56%) of CAEs report that their organization had 10 or less cybersecurity incidents in the last 12 months, nearly a third (31%) said that they did not know how many incidents their company had. Grant Thornton, March 19, 2012

ISSA-LA - Securing the Village

Alan Paller of SANS Institute Speaks at ISSA-LA Information Security Summit on Cybercrime Mr. Alan Paller, director of research at the world renowned SANS Institute, will be the keynote speaker at the Los Angeles Chapter of the Information Systems Security Association's (ISSA-LA) fourth annual Information Security Summit on Wednesday, May 16, 2012 at Hilton Universal City Hotel in Los Angeles. The theme of the one-day Summit is The Growing Cyber Threat: Protect Your Business. SecurityOrb, March 29, 2012

Cyber Security Management - Securing the Village

Richard Clarke on Who Was Behind the Stuxnet Attack: The story Richard Clarke spins has all the suspense of a postmodern geopolitical thriller. The tale involves a ghostly cyberworm created to attack the nuclear centrifuges of a rogue nation-which then escapes from the target country, replicating itself in thousands of computers throughout the world. It may be lurking in yours right now. Harmlessly inactive...or awaiting further orders. Smithsonian Magazine, April 2012

How China Steals Our Secrets: For the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the F.B.I., said cyberattacks would soon replace terrorism as the agency's No. 1 concern as foreign hackers, particularly from China, penetrate American firms' computers and steal huge amounts of valuable data and intellectual property. New York Times - Richard Clarke Op-Ed, April 2, 2012

Cyber Mercenaries

The Zero-Day Salesmen: At A Google-Run competition in Vancouver last month the search giant's famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged website to bypass Chrome's security protections and completely hijack a target computer. But while those two hacks defeated the company's defenses, it was only a third one that actually managed to get under Google's skin. Forbes, March 28, 2012

Hacktivists

Anonymous Hackers Deface 500 Chinese Government Websites: The Anonymous movement has pulled off one of its biggest hacktivist coups yet, successfully defacing hundreds of Chinese Government websites in a spectacular protest against Internet censorship. April 6, 2012

SecurityRecruiter.com Security Recruiter Blog

The Magic of Doing One Thing at a Time - Tony Schwartz - Harvard Business Review

noreply@blogger.com (Jeff Snyder) — Mon, 09 Apr 2012 02:00:00 +0000

The Magic of Doing One Thing at a Time - Tony Schwartz - Harvard Business Review: "The Magic of Doing One Thing at a Time"

'via Blog this'

Getting Focused

A new week starts. I’ll get to the Cyber Security News of the Week very soon and with a little luck, I’ll have some new information security jobs to share as the week progresses. I know I’ll be interviewing a couple of candidates who on the surface appear to be in line with my client’s needs and I know that I’ll have the privilege of talking to prospective new clients about their corporate security and information security talent needs.

The Treadmill

Before the treadmill starts spinning at a high rate of speed, I’ve invested time to plan, recharge and reload. Two weeks ago today, I had just completed an 11 hour drive the day before in order to reach the destination where I planned to personally unwind. As a family, we had traveled to a destination where my plan was to escape Colorado snow, to hike, mountain bike, spend time at the pool with my girls who can’t get enough of the pool and to break my normal office routine.

While I did accomplish most of the objectives I just mentioned, I came up a little bit short in a couple of areas. The Harvard Business Review article I’ve referenced above caught my attention today because the title of the article, “The Magic of Doing One Thing at a Time”, represents a challenge that I’m continually challenged to master.

Multi-Tasking

Like many of you, somewhere along the line, I must have either consciously or subconsciously bought into the idea that people who could multi-task had somehow reached the comic book hero status I read about when I was a kid. As the years have gone by, my mind and my body have both been giving me hints to suggest that the idea of multi-tasking was not such a good idea.

I don’t know about you but my mind works best when I focus on one task at a time and give that task 100% of the mind-power I’m capable of throwing at it.

One Person at a Time

Then, someone comes along and writes an article that addresses what has been burning at my mind lately. In my security recruiting business, one rule I created for myself and for the benefit of anyone who ever engages with me on the phone is that I don’t take calls while I’m on calls. I talk to one person at a time and during any given call, the person on the other end receives 100% of my attention.

Without reading anyone else’s article, this practice has always made sense to me and I’m 100% sure that it has made sense to those who have been on the other end of my phone calls. While I’ve mastered this one particular discipline, I’m still working on other disciplines and I work with a coach to help me stay focused on the goals I’m working to master.

I Came up Slightly Short

Back to my family trip and how it relates to an HBR article. I did a pretty good job of giving my family the attention I set out to give. Where I came up short was an instance or two where I let a couple of clients interfere with my family time. I take responsibility for this shortcoming and I’ll do better the next time I set out to recharge.

Sure, I’m in business to satisfy the needs of clients. This always has been the case and will continue to be the case. However, as long as it has taken (22 year of recruiting), I’m beginning to see the value of creating boundaries between my professional time and my personal time, finding regular time and ways in which to recharge my batteries, time to think strategically (something I’m gifted to do) and time to take real vacations.

The Value of Coaching

Why am I sharing this information rather than talking about the latest conversation I’ve had with a CISO or CSO? I’ll have CISO and CSO conversations to share on other days.

Through the processes I’ve recently completed to earn executive coaching certifications and more importantly, the personal coaching I’ve received along the way, I am starting see more clearly the value of clarification, alignment and mission.

Security Professionals Need Coaching

I’ve recently met several security professionals who have discussed security career coaching with me. While there are many different angles from which we could approach these individual’s needs, what is becoming very clear to me is that most of the people who are approaching me to have this flavor of discussion are facing some kind of burnout.

This doesn’t mean that these aren’t successful people. To the contrary, they are all successful people. They are successful as security professionals but each person wants to be successful in a more well-rounded way.

For most professionals as well as for me, that means finding clarity. I’m referring to clarity around what an individual should be doing rather than what they are doing. I’m capable of doing more than the average person in the course of a business day. I used to think that my capabilities naturally translated into strengths. I was wrong. Learning to focus on what I should do rather than only on what I can do is making a significant difference in my job satisfaction and in my effectiveness as I serve my clients.

A Director of Global Security’s Need

I was recently approached by a Director of Global Security to talk about his security resume. He wanted my help to make his resume more focused, more clear and razor sharp. As I listened to this person talk about his background, accomplishments and vision for his future, what I heard was very cloudy.

I told this Director that in order to help him create a razor sharp security resume, we’d first have to work through a process to help him figure out what he wants to do when he grows up. Don’t get me wrong, this person is older than me and he is earning between $160,000 and $200,000 per year. He is already successful by many people’s measuring sticks. When I said what I said, the response on the other end of my phone was both agreeable and relieved. This is exactly what the Director was thinking, he just didn’t know how to put his thoughts into words. I did that for him in this instance.

The Security Director desires to reach a new level of success and I believe he’ll do that when he steps into a job that properly aligns with his hard wiring, with his passions and a job that aligns properly with who he is.

My Family Trip

How does this relate to my family trip? Well, I’ve recently gone through the process of finding clarity, sharpening up my vision and aligning my values with my daily activities. I guess I skipped a step in not clearly explaining to two clients that I was going to disconnect from the search business for a few days to invest time into myself and my family.

Value For My Clients

Furthermore, I should have explained to my clients that when I returned to my desk from this short trip, I’d be recharged and refocused.

I came back from my trip with some new energy but perhaps not as much as I could have gained had I been more diligent to stick to my plan. Learn from my experience if you can. Build a plan, sharpen your plan and stick to the plan. If you need help to accomplish this, call me. I’m getting better and better at executing what I’ve just written about every day.

Who Wrote This Security Recruiter Blog?

Jeff Snyder, certified by The Marshall Goldsmith Group as a Stakeholder Centered Coach and certified by Executive Coaching University as a Certified MasterMind Executive Coach. 719 686 8810

How China Steals Our Secrets - NYTimes.com

noreply@blogger.com (Jeff Snyder) — Thu, 05 Apr 2012 00:48:00 +0000

How China Steals Our Secrets - NYTimes.com:

'via Blog this'

Information Security professionals take notice. Your battle against cyber attacks is truly global and you can't ever stop learning.

This New York Times article is interesting to me based on a search I'm currently conducting in China for a Fortune 250 US Corporation. The article also caught my attention because of a conversation I shared with a CISO the other day whose company is working with the FBI to prove a corporate intellectual property theft case with a foreign born worker who allegedly sold intellectual property to a group in China.

Another reason this article caught my attention is that when I attend an ISSA board meeting tomorrow night, I'll be challenged to provide input as to what information security professionals need to learn to continue advancing their careers. This answer is multifaceted and I'm excited to meet the other board members and to learn from what other business leaders on the board have on their minds.

If you're a Security Professional, don't ever stop learning because this security recruiter never gets to stop learning about what you do!

SecruityRecruiter.com Security Recruiter Blog

Senior Application Security Engineer, Program Builder, Palo Alto, CA

noreply@blogger.com (Jeff Snyder) — Tue, 03 Apr 2012 17:46:00 +0000

Senior Application Security Engineer Compensation: Mid $100s...very competitive Location: CA-Palo Alto Relocation: Yes Education: BS in Computer Science, Computer Engineering preferred

SecurityRecruiter.com has been engaged to help build an information security / cyber security department in a high-tech company where protecting their systems and intellectual property is taken seriously. This company of 400 employees has recently gone public and is in a solid position for continued growth. Reporting: This role reports to a Director whose career has followed a deeply technical information security career path. He understands the work you’ll be doing for this company. In recent years, this Director’s path looks like a technical / business intersection. If you’re passionate about technology and you’re ready to work for and with people who are prepared to mentor and coach you to the next level in your career, this could be your next career move. The Opportunity: This newly created role represents an opportunity to build an application security program from the ground up for a company that has Internet-facing intellectual property and customer data to protect. This company takes security seriously. Responsibilities: • Work with several internal teams to develop a security roadmap that covers both infrastructure and application security (emphasis on application security) • Function as a subject matter expert in a wide variety of areas including application security, secure software development and network security. • Deliver web application security assessments for Java applications. • Assess infrastructure security and build solutions that scale with internal growth and customer growth. • Provide reviews of infrastructure services including access controls and configuration of security devices. • Push standards forward for networking devices, virtual environments and systems. • Manage large scale vulnerability and penetration scans across hosting facilities and IDS / IPS systems. • Provide a solid understanding of web services and commonly utilized technologies. Requirements: • A BS in Computer Science, Computer Engineering and/or Security, Networking or equivalent experience preferred. • Significant experience in finding web site security issues including: OWASP Top 10, XSS, SQL Injection, CSRF, Buffer Overflows, etc. • Prior application development / software engineering coding experience • Deep knowledge of LINUX technologies such as Apache, MYSQL, Tomcat, Postgres • Strong LINUX / UNIX background with scripting abilities • Experience with networking, PKI, cryptography, authentication systems and central logging infrastructure. • Strong experience with SIEM systems such as ArcSight strongly preferred. • Knowledge of crypto systems such as symmetric crypto, SSL certificates and hashing methods is desirable. • Certifications such as the CISSP, CSSLP, GWAPT, GSSP-JAVA or GWEB appreciated. Bay Area Security Jobs, Web Application Security Jobs, California Security Jobs SecruityRecruiter.com's Security Recruiter Blog

Director, Information Security and Compliance, Cloud, SaaS, PaaS, Palo Alto, CA

noreply@blogger.com (Jeff Snyder) — Tue, 03 Apr 2012 17:45:00 +0000

Director, Information Security and Compliance

Location: CA, Palo Alto

Relocation: Yes

Education: BA/BS Preferred

Compensation: Mid $100s package

Reporting:

The Opportunity:

Requirements:

· Information Security professional possessing over 12 years of information security related experience.

· A BS/BS degree is desirable.

· Demonstrate a deep working knowledge of compliance and regulatory environments such as SOX, ITIL, SAS70, ISO 27001 / 2:2005 and SSAE 16. A deep level of ISO framework understanding is required.

· Desirable candidates will likely have progressed through Security Engineer, Security Analyst, tiles to become Risk Management / Compliance specialists.

· Prior experience conducting vulnerability assessments / security assessments is desirable.

· Knowledge and/or have worked in an environment where the company has developed software; possesses knowledge of Agile & Scrum methodologies desirable.

· Ability to provide risk assessments and solutions options on technology architecture in a dynamic environment.

· Deep understanding of all things security such as: security operations; logging & monitoring; incident response; vulnerability management; and configuration management as it applies security and regulatory compliance requirements.

· Possess outstanding customer-facing skills including the ability to discuss and evaluate customer security requirements and map them to internal standards.

· Ability to be cross-functional with various teams within the company and have the ability to relate security requirements to these various teams.

· Demonstrate a deep understanding of SaaS (Software as a Service), PaaS (Platform as a Service) or IaaS (Infrastructure as a Service) from either working in this type of environment in the past or working with these types of companies where they were your customers.

· Certifications such as the CISSP, CISA, CISM, CRISS or others appreciated.

Palo Alto Security Jobs, Bay Area Security Jobs, Cloud Security Jobs, Security Director Jobs, Executive Security Jobs, California Security Jobs

SecurityRecruiter.com Security Recruiter Blog

America is losing the cybersecurity war; China hacked every major US company - Computerworld Blogs

noreply@blogger.com (Jeff Snyder) — Mon, 02 Apr 2012 20:01:00 +0000

America is losing the cybersecurity war; China hacked every major US company - Computerworld Blogs:

'via Blog this'

All I have to do in order to find a stimulating and highly educational conversation (educational for me) is to dial the number of one of the world's many top cyber security or high-level corporate security professionals I'm fortunate to know.

This morning, I read an article I hadn't seen last week when I was traveling. This article had to do with cyber security and China and is referenced above. This article caught my attention because I'm working on a Regional Physical Security Manager opening for a Fortune 250 US company where the position is located in Beijing, China. In recent weeks, I've added extensively to my knowledge base around risks of doing business in China for American companies by talking to some of the industry's top security experts on security (cyber and corporate ) and China.

Today, I shared a deep conversation with a Global Director of Information Security who has extensive experience working with security issues for his own company in China. Some of what he knows wasn't discussed as it wasn't appropriate for him to share with me. However, I'm fortunate to learn from everyone I encounter every day so some of what was shared was added to my growing China security knowledge base.

If your company ever has cyber security jobs or corporate security jobs to fill in China, we're having success in recruiting both Chinese candidates in China as well as Americans and other non-Chinese security professionals in China. Many of the American candidates we've recruited and built relationships with have extensive US Government experience working in China as well as extensive experience serving the needs of US Corporations in China.

SecurityRecruiter.com Security Recruiter Blog

Cyber Security News for the Week of April 2, 2012

noreply@blogger.com (Jeff Snyder) — Mon, 02 Apr 2012 17:30:00 +0000

Cyber Commentary

From our friends at Citadel Information Group

Several stories this week underscore the grim reality that we are doing too little "to keep computer hackers from plundering corporate data networks."

Our businesses, nonprofits and government agencies could do a much better job of defending themselves if they had accurate actionable information about the nature of attacks, the inadequacies of current defenses and alternative countermeasures that would provide improved cyber security.

While our leaders in Washington are mired in debate about the "right" balance of incentivising carrots and regulatory sticks, our economy is being weakened in a version of "death by a thousand cuts." We need Washington to get off the dime and find an acceptable balance between incentives and regulations to encourage organizations to share data, information and knowledge about cyber crime and cyber defenses.

If we learn from each other, we will all be better able to make the right informed decisions about protecting our organizations. It Takes the Village to Secure the Village ^SM .

Cyber Crime

Data Breach Sparks Worry: Concerns about credit-card security heightened Friday after a little-known Atlanta company disclosed it had been hit by hackers, potentially exposing hundreds of thousands of account holders to fraud. The Wall Street Journal, March 30, 2012

America is losing the cybersecurity war; China hacked every major US company: Gloom and doom is the predicted forecast, but that is in regard to U.S. cybersecurity instead of the weather. Four top government cybersecurity officials have basically come out to say America is getting her hiney kicked in cyberattacks by nation state hackers. ComputerWorld, March 28, 2012

U.S. Outgunned in Hacker War: WASHINGTON-The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said. The Wall Street Journal, March 27, 2012

EXCLUSIVE: Hackers turn credit report websites against consumers: The most important tool consumers have to fight against ID theft has been turned against them by hackers, msnbc.com has learned. Websites that offer consumers a chance to see their credit reports are being brazenly used by hackers to steal victims' information. MSNBC, March 25, 2012

Cyber Crime Surveys

Financial-Services Industry Faces Cyber Threat: Cyber crime has become the second-largest source of criminal activity against the financial sector, according to a survey published Tuesday. The Wall Street Journal, March 27, 2012

Cyber Crime Boosts Threat to Financial Services, PwC Says: Cyber crime is a "growing threat" globally and the second most commonly reported economic crime affecting financial-services firms, according to a survey by PricewaterhouseCoopers LLP. Bloomberg, March 26, 2012

Digging into Verizon DBIR: Hacking, Malware, Cyber-Threats: While we all seized on the fact that hacktivists were responsible for more than half of the data records stolen in 2011, Verizon's Data Breach Investigations Report had a few more gems. PC Magazine, March 23, 2012

Cyber Threats and Vulnerabilities

Report cites U.S., Canada as malware attack focus: In its annual review of global security threats, Websense says a major trend it observed last year is that more malware connections, hosting and phishing appear to be occurring in the United States and Canada. Network World, March 29, 2012

After Threats, No Signs of Attack by Hackers: A threat to attack a crucial part of the Internet on Saturday by members of the mercurial, leaderless hacker collective called Anonymous appears to have had no discernible impact so far. The New York Times, March 31, 2012

New Zeus P2P bots: anonymous cyber-crime ready for mass market: The recent resurgence of the Hlux/Kelihos botnet, taken down last week by a team of security companies, demonstrates how hard it is to detect and permanently shut down the latest generation of botnets. And the arms race to counter botnets is only going to escalate further now that the sort of peer-to-peer technology used in Kelihos has become commoditized in Zeus, a botnet "platform" at the center of a thriving criminal software ecosystem. Ars Technica, March 30, 2012

Hackers use Microsoft Office security hole to target Mac users: Uh oh! Mac users who occasionally dip their toes into the sea of Microsoft products are at risk of becoming the victims of targeted security attacks, thanks to a security hole in Microsoft Office for Mac. MSNBC, March 30, 2012

Chrome extensions malware hijacks Facebook profiles: Kaspersky Lab has found malware-laden Chrome extensions, along with a criminal gang playing cat and mouse with Google by releasing several variations of its wares. The Register, March 25, 2012

New Java Attack Rolled into Exploit Packs: If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users. KrebsOnSecurity, March 28, 2012

Cyber Security Management

Who holds the encryption keys?: Computerworld - Encryption can make up for a litany of security snafus - from a bad firewall to an unrelenting hacker to a lost laptop. Once data is encrypted, criminals can't use or sell it. Plus, if encrypted data goes missing, companies are protected from disclosure requirements in most states. No wonder 38% of companies surveyed by Forrester Research have already adopted full-disk encryption technology. But data protection doesn't stop there. Encryption keys and digital rights also must be well orchestrated and secured, or else encryption protection goes out the window. ComputerWorld, March 26, 2012

Secure remote access? Security-related remote access problems abound: An attacker seeking to penetrate an enterprise's defenses typically has many "easy" options to choose from: unpatched Windows machines, website cross-site scripting flaws, or social engineering against employees. Search Security, March, 2012

Cyber Security Management - Securing the Village

House Cybersecurity Bill Proposes Information Swaps: The U.S. government and companies operating vital computer networks would be encouraged to share information about cybersecurity threats under a bill introduced today by House Republicans. Bloomberg, March 27, 2012

White House Sets Cybersecurity Priorities: Obama Administration cybersecurity coordinator Howard Schmidt has set an agency-wide goal for agencies to implement priorities to help protect federal IT systems against cyberattack. InformationWeek, March 26, 2012

Cyber Criminals

Cybercrime dominated by organised gangs, academic study finds: The criminal possibilities of the online world have primed a "fourth era" of organised crime that is having a major effect on all forms of illegal activity around the globe, an academic study from John Grieve Centre for Policing and Security at London Metropolitan University has said. Tech World, March 28, 2012

Case Based in China Puts a Face on Persistent Hacking: SAN FRANCISCO - A breach of computers belonging to companies in Japan and India and to Tibetan activists has been linked to a former graduate student at a Chinese university - putting a face on the persistent espionage by Chinese hackers against foreign companies and groups. The New York Times, March 29, 2012

Cyber Defenders

Warned of an Attack on the Internet, and Getting Ready: SAN FRANCISCO - On a quiet Sunday in mid-February, something curious attracted the attention of the behind-the-scenes engineers who scour the Internet for signs of trouble. There, among the ubiquitous boasts posted by the hacking collective Anonymous, was a call to attack some of the network's most crucial parts. The New York Times, March 30, 2012

Microsoft's Superhero Cyber Crime Fighting Unit: When Microsoft's not making software or technological marvels in its labs, it's fighting crimes with its Digital Crimes Unit. This morning we learned about one of its missions, from The New York Times, which sounds more like a scene in a movie than something that goes on at a geeky computer company. "Microsoft employees, accompanied by United States marshals, raided two nondescript office buildings in Pennsylvania and Illinois on Friday, aiming to disrupt one of the most pernicious forms of online crime today - botnets, or groups of computers that help harvest bank account passwords and other personal information from millions of other computers," write The Times' Nick Wingfield and Nicole Perlroth. Raiding a crime scene isn't exactly something we associate with Microsoft, but the company has a whole Digital Crimes Unit devote to this type of thing. The Atlantic, March 26, 2012

Cyber Mercenaries

US government pays $250,000 for iOS exploit: It's been known for a while that there's a huge market for buying and selling zero-day exploits in popular software and operating systems. Traditionally, hackers would inform the original software developer about a security vulnerability, present it at a security conference, or participate in competitions that pay for new zero-day exploits. Recently, the market of instead selling the hacks to governments around the world has exploded. Unsurprisingly, the most lucrative types of customers are the authorities. In fact, an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit. ZDNet, MArch 25, 2012

Identity Theft

Lost data cartridges may have exposed 800,000: Four computer storage devices containing personal information for about 800,000 adults and children in California's child support system - including their names and Social Security numbers - were lost by IBM and Iron Mountain Inc., officials announced Thursday. Bloomberg, March 29, 2012

Cyber Privacy

The Philosopher Whose Fingerprints Are All Over the FTC's New Approach to Privacy: PALO ALTO - A mile or two away from Facebook's headquarters in Silicon Valley, Helen Nissenbaum of New York University was standing in a basement on Stanford's campus explaining that the entire way that we've thought about privacy on the Internet is wrong. The Atlantic, March 29, 2012

Cyber Sunshine

Researchers Clobber Khelios Spam Botnet: Experts from across the security industry collaborated this week to quarantine more than 110,000 Microsoft Windows PCs that were infected with the Khelios worm, a contagion that forces infected PCs to blast out junk email advertising rogue Internet pharmacies. KrebsOnSecurity, March 28, 2012

SecurityRecruiter.com Security Recruiter Blog