Info Risk Today Podcast

Intelligence expert Terry Roberts says cyber intelligence, a new approach to IT security, could make significant gains in the coming year. "The good thing is, this isn't really rocket science," says the chair of the Intelligence and National Security Alliance's Cyber Council.

Nessa Feddis of the ABA says acceptance of online banking among U.S. consumers is accelerating quickly because consumers trust online security.

Based on its experience with Hurricane Irene, an executive at Memorial Sloan Kettering Cancer Center in Manhattan advises hospitals to make sure they plan for worst-case scenarios.

File transfer protocol remains a practice within banking institutions of all sizes. But how can banking/security leaders ensure secure FTP that will protect and track critical data? These thought leaders offer strategies.

The Sept. 11 terrorist attacks struck the U.S., but the impact and lessons affected the world and the entire information security profession, says Rolf von Roessing, past international vice president of ISACA.

Although the 9/11 attacks 10 years ago were a strong catalyst for ramped up disaster recovery and business continuity planning, there's still plenty of work to do, says security specialist Mac McMillan.

On the morning of Sept. 11, 2001, federal IT leader Mark Forman was briefing government chief human resources directors on the president's e-government initiative at a forum at the University of Maryland, a 10-mile drive from his White House office, when word came of the first jet crashing into the north tower of the World Trade Center in New York.

As we approach the 10-year anniversary of the 9/11 attacks on the U.S., Kevin Sullivan, a former investigator with the New York State Police, reflects on lessons learned and steps industries still need to take to ensure a tragedy like 9/11 is never repeated.

Frequent face-to-face training on social media policies is a vital component of any risk management effort, says consultant Erika Del Giudice.

Out with the old; in with the new. It's time for security-minded organizations to invest in the power and protection of the next generation firewall, says Matt Keil of Palo Alto Networks.

Doug Johnson of the ABA and FS-ISAC says banks and commercial customers are improving efforts to catch and thwart incidents of corporate account takeover, a sign that the industry is moving in a positive payments direction.

Careers in IT security remain hot, says David Foote, noted researcher and analyst of <a href='https://www.bankinfosecurity.com/infosec-joblessness-remains-steady-at-0-a-3833'><b>IT workforce trends</b></a>. But there's a disconnect between current job opportunities and the talent pool looking to fill them.

The future worth of payments will not rely so much on tangible currency, but more on digital value and data. And that means a stronger need for security and data management.

Facial recognition technology could prove to be an effective way to authenticate individuals seeking entry to secured buildings or databases storing sensitive information. But the <b><a href='https://www.govinfosecurity.com/biometrics-c-207'>biometric</a></b> technology already is being abused, and IT security managers employing facial recognition should be careful to encrypt the biometric data, cautions a privacy rights leader.

In many states, the top information security officer champions IT security rather than dictates it, as the decisions of specific steps to take to safeguard digital assets are left to departments, agencies and commissions.

Fraud is a global concern, and an area regulators and financial institutions the world-over are watching closely, says Bill Isaac. Whether a cyberthreat or mortgage fraud, investments in fraud prevention will continue, despite the state of the international economy.

ICBA's Chris Lorence says all financial institutions, especially community banks, should appreciate the positive and negative effects posts on social-networking sites can have on their reputations.

Having complete documentation of every aspect of your privacy and security strategy is the best way to prepare for a HIPAA audit, says consultant Cliff Baker.

Former FDIC head Bill Isaac says U.S. banks have strengthened their financial footing since the market collapse of 2008, but the U.S. economy remains on the verge of a "double-dip" recession. The reason: poorly planned regulatory reforms.

Give a man a fish, you feed him for today, the proverb says. Teach a man to fish; and you feed him for a lifetime. That adage can be applied to information security, as well.

As banks and credit unions assess online risk, in light of the updated guidance from the FFIEC, financial fraud analyst Tom Wills says they should consider mobile as a viable layer for out-of-band authentication.

Regulation and legislation are working in banking institutions' favor, helping them enhance fraud prevention and detection investments for debit and online banking.

Healthcare organizations entering cloud computing contracts should carefully consider whether they need additional liability insurance coverage to address the risks involved, says IT consultant Gerard Nussbaum.

Eduardo Perez says, simply, the "time was right" for Visa's introduction of chip-based payments incentives for U.S. merchants. Visa's new mobile-to-EMV program offers PCI-audit-compliance waivers to qualified merchants who implement dual-interface contact and contactless acceptance.

Before negotiating a contract with a <a href='/cloud-computing-c-232'><b>cloud computing</b></a> vendor, organizations should ask plenty of questions about privacy and security, says consultant Chris Witt.

Bob Russo says the long-awaited PCI guidance on tokenization should provide merchants with a baseline for standardization and best practices, and serve as a roadmap for how tokenization can complement compliance with the PCI-DSS.

Eugene Spafford thinks America needs the cybersecurity equivalent of an agriculture extension service to help educate citizens on IT security.

When it comes to social media, organizations have to be vigilant and consistent with risk assessments that closely monitor and evaluate emerging threats, says Andrew Kennedy of BITS.

Yahoo's Justin Somaini believes his fellow CISOs in business and government do a good job keeping their bosses informed of proper information security practices, but could do better in <b><a href='/awareness-training-c-27'>educating</a></b> the rank and file about them.

Ian Harper of Pentagon Federal Credit Union says financial institutions should continually review their risk management processes, a recommendation reinforced by the new FFIEC Authentication Guidance.

Federal officials should consider a major revamp of a proposal that would require healthcare organizations to provide patients with a report listing everyone who has electronically accessed their records, a former government official who helped draft the proposal says.

ISACA's Marc Vael says differences in cloud computing environments and cloud providers can pose security risks. But well thought-out contracts and risk-management plans can fill potential security gaps and ensure business continuity during outages and disasters.

No two <a href='https://www.bankinfosecurity.com/fraud-c-148'><b>fraud </b></a>incidents may be exactly alike, but a fraud investigator's approach can still be very consistent and precise, says Jean-Francois Legault, a fraud investigations specialist with Deloitte and Touche.

Before entering a contract with a cloud computing company, organizations should consider three critical issues, says Feisal Nanji, executive director at the security consulting firm Techumen.

"We're continually testing our controls and the effectiveness of our controls. We do a lot of emerging-threats monitoring ... so we can react," says First Niagara's Joe Rogalski.

Chris Olson of Fremont Bank says card skimming and the acceleration of ID theft prompted the bank to initiate a move from the mag-stripe to the chip.

Scott Laliberte, managing director of Protiviti, wrote the book on penetration testing, and he has strong feelings about what organizations are doing right and wrong when <a href='https://www.bankinfosecurity.com/risk-assessment-c-44'><b>assessing their information security risks</b></a> today.

Dan Rode of the American Health Information Management Association describes why the group wants to see major revisions in a proposed federal rule requiring hospitals, clinics and others to give patients access reports listing everyone who's viewed their records.

Oregon Chief Information Security Officer Theresa Masse finds herself at the center of a state initiative to simplify compliance by agencies with Internal Revenue Service rules to safeguard taxpayer data.

There are significant hard and soft benefits for government agencies to gain by investing now in solutions built around Trustable Identities, says Mike Ozburn, principal of Booz Allen Hamilton.

It's the new conventional wisdom: all computer networks will be attacked. For Phyllis Schneck, that means organizations must be resilient, keeping computers functioning even when they're under assault.

Performing <a href='/security-pros-need-forensics-skills-a-2966'><b>digital forensics</b></a> in the <a href='/interviews/bankinfosecuritycom-interviews-markus-jakobsson-part-1-2-i-1121'><b>cloud</b></a> isn't necessarily a new discipline, says Rob Lee of SANS Institute. But the task definitely requires a whole new mindset and some new skills from investigators.

It is no longer enough for information security professionals to secure critical information. They also need to be asking about the legitimacy of where this information comes from, says John Colley, managing director of <a href='https://www.bankinfosecurity.com/rsa2011video/tipton.html'><b>(ISC)2</b></a> in EMEA.

Dickie George of the <a href='https://www.govinfosecurity.com/national-security-agency-c-183'><b>National Security Agency</b></a> has one word to describe the state of information security education today: "Spotty." And this state must improve if we hope to fill all the growing demand for security pros.

Behavioral monitoring and transaction-anomaly detection are setting the baseline for online authentication, says Guardian Analytics' Terry Austin.

<b><a href='https://www.govinfosecurity.com/nist-c-15'>NIST</a></b>'s Ron Ross points out that its seminal security control guidance, <b><a href='https://www.govinfosecurity.com/agency-releases/nist-sp-800-53r3-recommended-security-controls-for-federal-r-1626'>Special Publication 800-53</a></b>, contains only one privacy control, requiring agencies to conduct a privacy impact assessment. That will change by year's end.

It's not enough for banking institutions to conform to the <a href='https://ffiec.bankinfosecurity.com/'><b>FFIEC Authentication Guidance update</b></a>. They also must ensure that their key vendors meet the same standards, says Philip Alexander of Wells Fargo Bank.

Former banking regulator William Henley has simple advice for banking institutions wondering how to comply with the new <a href='https://ffiec.bankinfosecurity.com/'><b>FFIEC authentication guidance update</b></a>: "Start immediately, develop a plan, and document your progress."

You know your organization's <a href='/how-to-write-social-media-policy-a-3191'><b>social media policy</b></a> is a good one when it starts sounding less like a checklist and more like common sense, says <a href='/interviews/surviving-social-media-i-743'><b>Sherrie Madia</b></a>, social media expert and author.

An important component of preparing for a potential HIPAA compliance audit is to complete a "walk through" to make sure privacy and security policies and procedures are practical and effective, former HIPAA enforcer Adam Greene advises.