I N F O R M A T I O N DECEMBER 2016

S
VOL. 18 | NO. 10

ECURITY
DEDICATED CISO JOB
STILL QUESTIONED

HIGH-STAKES ROLE:
MGM RESORTS CISO
SCOTT HOWITT

AFLAC CISO TIM

CALLAHAN ON
GLOBAL SECURITY,
RISK

REPORT:
CYBERSECURITY
CAREER DATA

BUILDING A
CYBERTHREAT
INTELLIGENCE

DEDICATED
CAPABILITY

TO ANAHI SANTIAGO:
INFORMATION HEALTHCARE
INFOSEC LEADER
SECURITY
ITS TIME TO
CLARIFY
With CISOs on the rise, the position calls for technical, business OWNERSHIP OF
and leadership talent. Who wouldnt love this job? RISKS IN THE CLOUD
 E D IT O R S D E S K

HOME Dedicated to Information Security

EDITORS DESK The CISO job description is always up for debate. Is it a technical role,
or is it moving out of the IT department to influence broader security
HIGH-STAKES ROLE:
SCOTT HOWITT and risk management initiatives? BY KATHLEEN RICHARDS

T
GLOBAL CISO:
TIM CALLAHAN

REPORT:
CYBERSECURITY
CAREER DATA

THREAT
INTELLIGENCE
HE HEAD OF information security is a role
OVERLOAD
that differs from company to company.
RANUM Q&A: Some organizations assign the job title in
ANAHI SANTIAGO
name only. Others view the CISO job as
SHACKLEFORD: primarily a technical role. Large enter-
OWNERSHIP OF RISK prises look for a seasoned executive who can lead the in-
formation security program (read: build one that works)
and implement cybersecurity policies tailored to business
strategy.
Ten years ago, we were buried in the infrastructure
team, and we were known as the security guy or gal,
says Scott Howitt, senior vice president and CISO at
MGM Resorts International, who is profiled in this issue.
In Howitts view, the CISO role has been elevated, in some
cases, to an executive level on par with the CIO.
At Fortune 500 companies, the CISO job description
is less about technology proficiency and more about in-
formation securityintellectual property and data pro-
tection, risk management, forensics and investigation,
business continuity and disaster planning, regulatory
compliance, data privacy issuesand strategic security
initiatives. Building a threat intelligence capability and
communicating risk to non-security executives, especially
ownership of risk in the cloudas Dave Shackleford ex-
plains in his columnare two areas that will receive in-
creased scrutiny in 2017.
Cybersecurity is not really a technical venture, says
Larry Larsen, CISO of the Apple Federal Credit Union. It
is a behavioral venture in a technical environment, and
that is where the counterintelligence approach comes in,
he tells Jaikumar Vijayan, who reports on cyberthreat in-
telligence programs for this issue.

2 INFORMATION SECURITY n DECEMBER 2016

 E D IT O R S D E S K

Should the CISO influence the IT organization or be
HOME
part of it? This is an ongoing debate. The first CISO was
EDITORS DESK brought in to perform a business functionnot ITin Touhill, a move pledged in Cybersecurity National Action
the mid-90s. Steve Katz was hired at Citicorpbefore
HIGH-STAKES ROLE: the blockbuster merger with Travelers Group in 1998,
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN Building a threat intelligence
REPORT:
capability and communicating risk
CYBERSECURITY
CAREER DATA
to non-security executives are two
areas that will receive increased
THREAT
INTELLIGENCE scrutiny in 2017.
OVERLOAD
RANUM Q&A: which created Citigroupafter the banking giant was
ANAHI SANTIAGO
breached. Citicorp executives realized that they needed
SHACKLEFORD: an executive-level security function to protect their fi-
OWNERSHIP OF RISK nancial services business. Yet companies today do not al-
locate resources for a dedicated security officer, and the
CISO job description is still unclear to many business ex-
ecutives. Funding is an ongoing issue as well because the
position does not generate revenue.
Is the organization safer with a CISO? Thats the bot-
tom line.
The Obama administration appears to have come
to that conclusionafter the Office of Personnel
Management breachwith the September hiring of the
first Federal CISO, retired Brigadier General Gregory J.
Plan. (Will this be a CISO position in name only, as some
have suggested?) As Touhill works to implement cyber-
security policies and best practices across agencies, he
will have help in the form of Acting Deputy CISO Grant
Schneider, the former CIO at the Defense Intelligence
Agency and, most recently, director of cybersecurity pol-
icy for the National Security Council.
This CISO job is not going to get easier. Rapidly
changing infrastructure, untethered devices and the inter-
net have ushered in vulnerabilities and threats that have
increased the challenges of securing data and information
systems. The CISO position continues to demand tech-
nology knowledge, business acumen and cybersecurity
skills. In this special CISO edition of Information
Security magazine, we talk with chief information secu-
rity officers from different industriesentertainment, fi-
nancial services, healthcare, retail and technologyabout
the evolution of the CISO position and some challenges
ahead. n
KATHLEEN RICHARDS is the features editor ofInformation
Securitymagazine. Follow her on Twitter:@RichardsKath.

3 INFORMATION SECURITY n DECEMBER 2016

 H IG H - S TA K E S R O LE

HOME
SCOTT HOWITT,
CISO OF MGM
EDITORS DESK

HIGH-STAKES ROLE:

RESORTS
SCOTT HOWITT

GLOBAL CISO:

INTERNATIONAL
TIM CALLAHAN
THE ROLE OF CISO can keep you up nights, but it has its
REPORT: lighter moments. Scott Howitt, senior vice president and
CYBERSECURITY CISO at MGM Resorts International in Las Vegas, likes to
Many companies are making the
CAREER DATA
tell about the frantic call he got from an executive at one
THREAT
INTELLIGENCE CISO a peer to the CIO or taking of his previous positions: Russian gangsters had broken
into his machine and were threatening him. I thought
OVERLOAD
the position out of IT altogether, that was odd behavior for Russian cybercriminals as they
RANUM Q&A:
ANAHI SANTIAGO
Howitt says. are usually only after money, Howitt recalls. The reality
turned out to be less frightening. The executives son had
SHACKLEFORD: installed spyware on his fathers PC and would turn on
OWNERSHIP OF RISK the webcam to spy on him at work. Then he would make
phone calls in a Russian accent and tell his father that he
was watching him. It was meant as a prank, but when my
cyber team discovered the truth, the executive was a little
embarrassed, Howitt says.
In his 26 years of experience, Howitt has held various
technology and leadership positions. Prior to joining
MGM Resorts International, Howitt was the vice presi-
dent and CISO at JCPenney and director of information
By Alan R. Earls security at Alliance Data Systems. As a founding mem-
ber of the advisory board for the Retail Cyber Intelligence

4 INFORMATION SECURITY n DECEMBER 2016

 H IG H - S TA K E S R O LE

Sharing Center (R-CISC), which is dedicated to public

HOME
and private security information sharing, and as a mem- Scott Howitt
EDITORS DESK ber of the Nevada Commission on Homeland Security
Cyber Security Committee, he shares his hard-won
HIGH-STAKES ROLE: expertise.
SCOTT HOWITT

GLOBAL CISO: How have you seen the role of CISO evolve in recent
TIM CALLAHAN
years, and what changes do you anticipate in the
REPORT: future?
CYBERSECURITY The change that really strikes me is the elevation of
CAREER DATA
the role of CISO. Ten years ago, we were buried in the
THREAT infrastructure team and we were known as the security
INTELLIGENCE
OVERLOAD
guy or gal. Some forward-thinking companies had a
CISO, but most did not. Now it is seen as a key role, and
RANUM Q&A: many companies are making the CISO a peer to the CIO
ANAHI SANTIAGO
or taking the position out of IT altogether. The CISO now
SHACKLEFORD: has regular meetings with the audit committee and often
OWNERSHIP OF RISK the full board. With digital enablement and the internet
of things, there are many new challenges that may not
involve IT that still require CISO awareness.

In your career, what are some of the initiatives or

accomplishments that you feel were most significant?
After the Target breach, there was a big panic amongst
retailers. Many companies had let their security lapse,
and some did not even have a security department, let
alone the role of CISO. A group of concerned retail-
ers met at the National Cyber-Forensics and Training

5 INFORMATION SECURITY n DECEMBER 2016

 H IG H - S TA K E S R O LE

Alliance, and the idea for the Retail Cyber Intelligence
HOME
Sharing Center was born. A group of about 10 compa-
EDITORS DESK nies led the charge on establishing the 401(c)3. JCPenney
was one of the founding companies, and I have been on
HIGH-STAKES ROLE: the board of R-CISC since the start. The sharing of cyber
SCOTT HOWITT
ideas and threat analytics is rewarding because you are
GLOBAL CISO: not only helping your company, you are helping the cy-
TIM CALLAHAN
bercommunity as a whole. I feel very fortunate to work
REPORT: with the members of the R-CISC and have enjoyed seeing
CYBERSECURITY it grow from an idea to vibrant organization.
CAREER DATA
Slow down and dont be so quick to click on that link or
open that attachment. Cybercriminals prey on peoples in-
stinct to complete a task or help a person in distress. That
is why so many of the phishing attacks use tactics like
Someone has your password; reset your password now,
or they will use tragic events like natural disasters to lure
people into giving out their information. If you feel you
need to reset your password or you want to make a chari-
table contribution, go directly to the website and do it;
never click on links. n

THREAT When you speak to others about cybersecurity, ALAN R. EARLS is a Boston-based freelance writer focused on
INTELLIGENCE
OVERLOAD
what are your typical bits of advice? business and technology.

RANUM Q&A:
ANAHI SANTIAGO

SHACKLEFORD:
OWNERSHIP OF RISK

6 INFORMATION SECURITY n DECEMBER 2016

 G L O BA L CIS O

HOME
TIM CALLAHAN,
CISO OF AFLAC
EDITORS DESK

HIGH-STAKES ROLE:
SCOTT HOWITT

GLOBAL CISO:
With todays cyberthreats, the
TIM CALLAHAN
CISO has to know more about TIM CALLAHAN IS the senior vice president of global
REPORT: intelligence, information sharing, security and CISO at Aflac Inc.an insurance provider

working with government and

CYBERSECURITY based in Columbus, Ga.whose iconic white duck has
CAREER DATA
successfully branded the Fortune 500 company in the
THREAT private industry, and how to tailor U.S. and Japan. The Aflac CISO is in charge of the global
INTELLIGENCE
OVERLOAD the security program to further security program, including all security operations, IT

RANUM Q&A:
the business, Callahan says. compliance and risk management.
He has held several prominent leadership roles in
ANAHI SANTIAGO
financial services. Prior to Aflac, as senior vice president
SHACKLEFORD: of enterprise business continuity and information
OWNERSHIP OF RISK assurance at SunTrust Banks Inc., Callahan was
responsible for leading the risk management team and
integrating multiple information security functions to
provide a unified approach to threat and vulnerability
management, mitigation strategies and incident response.
He also served as first vice president and CISO at Peoples
United Bank.
Prior to his work in the private sector, Callahan was
a military professional for 23 years, ultimately serving a
By Alan R. Earls command risk management function as a program man-
ager at a United States Air Force Major Command.

7 INFORMATION SECURITY n DECEMBER 2016

 G L O BA L CIS O
Callahan has chaired numerous conferences,
HOME
including six years at the annual IT Governance, Risk
EDITORS DESK and Compliance Summit. This year, the Aflac CISO
became the inaugural board chair of the National
HIGH-STAKES ROLE: Technology Security Coalition (NTSC), a non-
SCOTT HOWITT
profit organization formed in January by the
GLOBAL CISO: Technology Association of Georgia. The coali-
TIM CALLAHAN
tions mission is to further CISO development
REPORT: and build awareness of information security
CYBERSECURITY policies and legislation.
CAREER DATA
THREAT What has led to your involvement in
INTELLIGENCE
OVERLOAD
the National Technology Security Co-
alition, and what are your priorities
RANUM Q&A: as chairman of the board?
ANAHI SANTIAGO
I think the major role of National
SHACKLEFORD: Technology Security Coalition is
OWNERSHIP OF RISK to be seen as an honest broker and
partner in helping to educate leg-
islatures and policymaking arms
of the government. To gain [that]
level of trust and respect, NTSC
must remain nonpartisan. As
we build the coalition, I hope to
ensure that all board members
and sponsors stay aligned to
the overriding goal. I think we
can hold events that promote
8 INFORMATION SECURITY n DECEMBER 2016
these goals and that also help educate CISOs on how they
can be more impactful in public policy decisions that are
good for America and good for our business climate. We
must always seek to serve the larger good and protect
the consumer.
How have you seen the role of the CISO evolve
in recent years?
The CISO has evolved from a technical security
role to that of a corporate executive with a risk
management focus. Due to the emerging na-
ture of the cyberthreat, the CISO has
to know more about intelligence,
information sharing, working with
government and private industry
counterparts and how to tailor
the security program to further
the companys business.
Security is no longer an IT
issue. It is a business impera-
tive, especially in industries
where you have clients private
information. The CISO will
continue to evolve in the as-
pect of business partners
and will be relied on more to
Tim Callahan
 G L O BA L CIS O

ensure the investment in security is meeting business How has your background in risk management,
HOME
needs. particularly in the Air Force, informed your work in
EDITORS DESK cybersecurity?
As the Aflac CISO, what do you find interests the The training and experience I gained in the Air Force,
HIGH-STAKES ROLE: board of directors the most? What do you think particularly in the role I had, has helped me recognize
SCOTT HOWITT
boards typically need to focus on to have a better risk and almost instinctively classify the risk based on
GLOBAL CISO: understanding about cybersecurity in their role as the severity or penalty if the risk is realized. By recogniz-
TIM CALLAHAN
corporate stewards? ing these aspects of risk, it helps me make more reason-
REPORT: Each board member can be unique in what interests able decisions about how we should address it. In a world
CYBERSECURITY them the most. Some are interested in statistics about the where there are so many threats, one does not want to
CAREER DATA
number of attempts, while [others] are interested in the overemphasize one risk to the detriment of another. This
THREAT threat trend and how it affects the company. However, should not be a guessing game, but be as conscious and
INTELLIGENCE
OVERLOAD
on a whole, they seem most interested in how we have prescribed as possible. n
identified the risk/threat to our environment. Are the
RANUM Q&A: measures were taking to address the threats effective?
ANAHI SANTIAGO
Are we staying with or leading the industry? And do we ALAN R. EARLS is a Boston-based freelance writer focused on
SHACKLEFORD: have the right level of executive focus and support? business and technology.
OWNERSHIP OF RISK

9 INFORMATION SECURITY n DECEMBER 2016

 CA R E E R D ATA

Cybersecurity Leadership Requires

HOME

EDITORS DESK
Seat at the Executive Table
Almost 70% of those surveyed said their organizations had a CISO or CSO function,
HIGH-STAKES ROLE:
SCOTT HOWITT
but active participation with upper management and boards of directors is still
limited at many companies.
GLOBAL CISO:
TIM CALLAHAN

REPORT:
CYBERSECURITY
CAREER DATA Organizations with a CISO or CSO CISO Reporting Structure by Size of Organization
Does your organization have a CISO, CSO or similar What is the reporting structure for the CISO in your
THREAT executive-level cybersecurity position in place organization?
INTELLIGENCE
OVERLOAD
today?
n <1000 (N=82)
n >1000 (N=211)
RANUM Q&A:
ANAHI SANTIAGO 67% Yes 49%

38% 40%
SHACKLEFORD: 35%
OWNERSHIP OF RISK
27% No plans to add a CISO, CSO or similar position
22%
16%
No, but our organization is interested in creating
4% a CISO, CSO or similar position in the future

No, but organization plans to add a CISO, CSO

2% or similar position within the next 12 to 24 months
CISO reports CISO reports CISO reports to
to CEO to CIO someone other than
CEO or CIO
(or dont know)
SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
INFORMATION SYSTEMS SECURITY ASSOCIATION (ISSA), 2016; BASED OFF OF RESPONSES FROM 437 IT AND SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
SECURITY PROFESSIONALS WORLDWIDE ISSA, 2016; BASED OFF OF RESPONSES FROM IT AND SECURITY PROFESSIONALS WORLDWIDE

10 INFORMATION SECURITY n DECEMBER 2016

 CA R E E R D ATA

CISO Reporting Structure Top-Level Participation

HOME
Currently, your organization has a CISO, CSO or similar Is your organizations CISO, CSO or similar executive-
EDITORS DESK executive-level cybersecurity position in place. Which level cybersecurity position an active participant with
of the following titles best represents to whom this executive management, the board of directors or a
HIGH-STAKES ROLE: person reports? similar oversight group?
SCOTT HOWITT

GLOBAL CISO:
2%
Chief Legal Counsel
TIM CALLAHAN
2% 1% 37% Very active (meets with executive management or the
REPORT: Chief Compliance Officer Dont know board of directors at least once per quarter)
CYBERSECURITY
CAREER DATA Chief Risk Officer
Active (meets with executive management or the board
THREAT 22% of directors at least twice per year)
INTELLIGENCE 5%
OVERLOAD
Other 8%
Somewhat active (meets with executive management
RANUM Q&A: 10% or the board of directors at least once per year)
ANAHI SANTIAGO
8% 41%
COO CIO
SHACKLEFORD: Yes, but on an ad hoc basis when executive management
OWNERSHIP OF RISK 10% or the board of directors specifically calls for a meeting
11%

Senior IT 6% No
manager who
22%
reports to CIO
(i.e., VP level)
CEO
15% Dont know

SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
ISSA, 2016; BASED OFF OF RESPONSES FROM 293 IT AND SECURITY PROFESSIONALS WORLDWIDE SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
CREDIT: ERHUI1979/ISTOCK ISSA, 2016; BASED OFF OF RESPONSES FROM 293 IT AND SECURITY PROFESSIONALS WORLDWIDE

11 INFORMATION SECURITY n DECEMBER 2016

 CA R E E R D ATA

HOME
Skills and Attributes of Top CISOs
Which of the following are the most important qualities of a successful CISO? (Multiple responses allowed.)
EDITORS DESK

50% Leadership skills

HIGH-STAKES ROLE:
SCOTT HOWITT
47% Communication skills
GLOBAL CISO:
TIM CALLAHAN 30% A strong relationship with business executives

REPORT:
CYBERSECURITY 29% A strong relationship with the CIO and other members of the IT leadership team
CAREER DATA
23% Management skills
THREAT
INTELLIGENCE
OVERLOAD 22% Technical acumen

RANUM Q&A: 19% Strong knowledge about regulatory compliance and legal matters
ANAHI SANTIAGO
18% Business acumen
SHACKLEFORD:
OWNERSHIP OF RISK
17% A long tenure as a cybersecurity professional

14% Past experience working in an IT department

10% Years of experience as a CISO or in a similar role

9% Operational skills

1% Law enforcement or military experience

SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND ISSA, 2016; BASED OFF OF RESPONSES FROM 437 IT AND SECURITY PROFESSIONALS WORLDWIDE
CREDIT: ERHUI1979/ISTOCK

12 INFORMATION SECURITY n DECEMBER 2016

 T H R E AT IN T E L L IG E NC E O VE RLO AD

HOME
SEVEN WAYS
TO AVOID
EDITORS DESK

HIGH-STAKES ROLE:

THE FEEDING
SCOTT HOWITT

GLOBAL CISO:

FRENZY
TIM CALLAHAN
AS A FORMER security analyst with a government con-
REPORT: tractor, a lot of the work that Larry Larsen did for federal
CYBERSECURITY agencies involved extensive use of threat intelligence in
Cyberthreat intelligence is
CAREER DATA
cyberdefense strategies.
THREAT
INTELLIGENCE just data if it is not actionable. We were seeing so many different attacks from so
many different sources against government, it was an
OVERLOAD
operational imperative to know where it was coming from
RANUM Q&A: and why, Larsen recalls.
ANAHI SANTIAGO
Today, as the chief information security officer at
SHACKLEFORD: Apple Federal Credit Union in Fairfax, Va., Larsen sees
OWNERSHIP OF RISK a lot of value in applying similar methods in a threat
intelligence program designed for dealing with the multi-
faceted threats directed against his current employer.
Cybersecurity is not really a technical venture, he
says. It is a behavioral venture in a technical environ-
ment, and that is where the counterintelligence approach
comes in.
Most companies have firewalls, antivirus and other
IT security tools they can plug into their network infra-
By Jaikumar Vijayan structure. But that often doesnt tell security analysts
anything about the source of the attack or who is entering

13 INFORMATION SECURITY n DECEMBER 2016

 T H R E AT IN T E L L IG E NC E O VE RLO AD

through the side door. president of strategy at Digital Shadows and co-chair of
HOME
I want to know who is sitting the SANS Cyber Threat Intelligence Summit.
EDITORS DESK at the keyboard launching these Situational awareness requires tools that provide
attacks and what they are trying visibility both inside and beyond the perimeter of an
HIGH-STAKES ROLE: to get, Larsen says. Is it just organization, he says.
SCOTT HOWITT
financial data? Is it part of a Here, according to Larsen and other security experts,
GLOBAL CISO: broader information-gathering are some of the things you need to keep in mind when
TIM CALLAHAN
Larry Larsen
campaign? Is it something they implementing a cyberthreat intelligence capability.
REPORT: are collecting to use for a more
CYBERSECURITY catastrophic attack? TAP YOUR INTERNAL INFRASTRUCTURE FIRST
CAREER DATA
Larsen is among a growing number of security officers A lot of the data that you need to build a robust
THREAT who have implemented a threat intelligence capability to situational awareness capability resides inside the
INTELLIGENCE
OVERLOAD
help steer the technical aspects of their security program. organization. Data from application logs, intrusion
In 2015, the threat intelligence market accounted for a detection and intrusion prevention systems, firewalls,
RANUM Q&A: somewhat modest $190 million in revenues, according endpoint antivirus systems and other security controls
ANAHI SANTIAGO
to analyst firm IT-Harvest. But it is expected to top $460 can tell you a lot about whats going on inside your
SHACKLEFORD: million this year and over $1.5 billion in 2018. network and the vulnerabilities and exposures you face,
OWNERSHIP OF RISK Driving the market is the growing focus on aligning notes Bill Podborny, CISO at Alliant Credit Union in
security efforts closer to actual needs and enabling Chicago.
better situational awareness based on the specific nature It can tell you whos knocking on your network, whats
of threats that an organization faces. Digital Shadows, already inside, and what normal user and network behav-
headquartered in San Francisco and London, provides ior looks like. Importantly, he adds, the data you collect
these types of servicestailored threat analysis and alerts, from your internal systemsusing security information
dark web searches for stolen data and credentials, and and event management (SIEM) or a data collection and
morethrough its SearchLight platform. analysis tool such as Splunkcan help you identify gaps
Its about knowing what is going on around you and exploitable vulnerabilities in your security controls so
so you can figure out what to do, says Rick Holland, a you can prioritize your response.
longtime Forrester Research analyst, who is currently vice Too often, organizations focus on using outside threat

14 INFORMATION SECURITY n DECEMBER 2016

 T H R E AT IN T E L L IG E NC E O VE RLO AD

feeds and threat data. They fail to tie the information
HOME
back to what is going on inside their own network
EDITORS DESK because they dont have enough visibility.
The best source of intelligence is your own data,
HIGH-STAKES ROLE: says James Carder, CISO at SIEM provider LogRhythm,
SCOTT HOWITT
based in Boulder, Colo. The companys Unified Secu-
GLOBAL CISO: rity Intelligence Platform combines log management,
TIM CALLAHAN
endpoint and network monitoring, SIEM and security
REPORT: analytics.
CYBERSECURITY If you dont have the infrastructure part in place, you
CAREER DATA
cant take intelligence data into your organization. You
THREAT cant operationalize it if you dont look at your own data,
INTELLIGENCE
OVERLOAD
Carder says.
RANUM Q&A: MAKE USE OF INTRUSION DATA
ANAHI SANTIAGO
Any approach to building a threat intelligence program
SHACKLEFORD: should include processes for collecting and analyzing
OWNERSHIP OF RISK different malicious behaviors inside the network; threat
intelligence data from within your particular industry, be
it financial services, healthcare or retail; and, only then,
threat data from the broader world beyond your line of
business.
Organizations must gather threat intelligence from
the actual intrusions occurring within the environment,
Holland notes.
For instance, the security organization should
monitor and collect data about exploits and botnet
activity, command and control traffic, malware delivery
mechanisms and file exfiltration.
You need to be able to gather IP addresses, malicious
domain names, file hashes and other indicators of
compromise from an attack on your organization and
use that information to quickly identify similar attacks
targeting your network in the future. The goal must be
to have controls for spotting expected and unexpected
threats and correlating behavior with identified
threats.
There is no more relevant threat intelligence than
what is actually occurring within your organization,
Holland says.
ITS ABOUT QUALITY, NOT QUANTITY
One common misperception surrounding threat data is
that you need a lot of it to be really effective. The reality
is that, unless your organization has the staff and the
resources to sift through massive data sets looking for the
proverbial needle in the haystack, what you need to be
focusing on is threat data quality.
I dont care if you send me 500 TB of data every
day, says Larsen of Apple Federal Credit Union. I would
rather have 1,024 KB of information that I actually can
use.
The key when subscribing to threat feeds is to select
those that help you answer the so what questions,
Larsen adds. There are any number of feeds and services
that provide information on emerging threats and threat

15 INFORMATION SECURITY n DECEMBER 2016

 T H R E AT IN T E L L IG E NC E O VE RLO AD

actors but fail to identify why your organization should to all the feeds, Holland advises. Threat intelligence
HOME
care about it. that isnt relevant to your business, to your threat model,
EDITORS DESK It is not unusual for multiple threat services to is going to overwhelm your security staff and security
use threat feeds from a single source. So a lot of the controls. On the other hand, relevant threat intelligence
HIGH-STAKES ROLE: information coming at your security operation could be reduces the noise that security teams must address,
SCOTT HOWITT
duplicate data as well. freeing them to focus on smaller and more relevant
GLOBAL CISO: Organizations must stay clear of trying to subscribe incidents, he adds.
TIM CALLAHAN

REPORT:
CYBERSECURITY

The Importance of Finished Intelligence

CAREER DATA

THREAT
INTELLIGENCE WHEN SUBSCRIBING TO a threat intelligence service, choose a provider who can customize the service to your specific
OVERLOAD requirements, advises Josh Zelonis, senior analyst with Forrester Research. It would be irresponsible for someone to
RANUM Q&A:
recommend a threat feed without an understanding of your specific organization and the motivations of threat actors
ANAHI SANTIAGO who would target you, he says.
According to Larry Larsen, CISO at Apple Federal Credit Union, the goal should be to try and get finished intelligence
SHACKLEFORD:
OWNERSHIP OF RISK to the extent possible from your service provider. Theres a difference between finished intelligence and just
information, says Larsen, whose company has subscribed to a customized threat intelligence service from SurfWatch
Labs. Finished intelligence is information you can take, digest and act upon immediately.
For instance, its one thing to get intelligence that a threat actor was identified on the dark web offering Yahoo
accounts for sale. Its another thing entirely to know that Yahoo accounts belonging to 48 people in your organization
were available in that data dump.
Threat intelligence needs to be tailored for your organization in a manner that it informs strategic and tactical deci-
sion-making, Zelonis says.
Anything that has not been enriched to this level is just data and should be avoided if you do not have the
capabilities in house to perform this enrichment. J.V.

16 INFORMATION SECURITY n DECEMBER 2016

 T H R E AT IN T E L L IG E NC E O VE RLO AD
THINK LIKE THE ENEMY
HOME
Take a risk-based approach when implementing
EDITORS DESK a cyberthreat intelligence practice. That means
understanding potential targetswhere your most
HIGH-STAKES ROLE: valuable resources areand how they are protected. And,
SCOTT HOWITT
sometimes, the best approach for doing that is to think
GLOBAL CISO: like the enemy, according to Larsen. If Im a bad guy,
TIM CALLAHAN
what would I steal and how would I steal it?
REPORT: Its important to know the main threat actors and the
CYBERSECURITY different technologies, techniques and processes they
CAREER DATA
have used or are using to target similar organizations.
THREAT What attack vectors do they usually exploit? What data
INTELLIGENCE
OVERLOAD
are they after and why?
Do your main threats come from malicious insiders,
RANUM Q&A: external threat actors, state-sponsored entities or criminal
ANAHI SANTIAGO
gangs? Or are they from users who inadvertently click on
SHACKLEFORD: attachments in email they receive from strangers?
OWNERSHIP OF RISK I tell my folks they have to maintain a sense of
healthy paranoia, Larsen says. You really have to
bombard your employees, especially those close to the
cyberdefense mission, with recurrent awareness
training.
TAKE A RISK-BASED APPROACH
For threat intelligence to be really useful, you need to
have a keen understanding of the risks that your organi-
zation faces from these threats, states Ryan Stolte, co-
founder and CTO of Bay Dynamics, a San Francisco-based
17 INFORMATION SECURITY n DECEMBER 2016
security vendor that offers Risk Fabric, an automated
platform that incorporates user and entities behavior
analytics.
You need to have a threat and vulnerabilityand
some value at risk, Stolte says. Some threats are not
relevant because your data or other assets are not at risk,
he adds. If you just have a threat and there is nothing to
lose, who cares?
The goal of a threat intelligence program should
be about protecting the confidentiality, integrity and
availability of your critical assets whether it is a website, a
payment system, a database or intellectual property. You
need to understand where your important assets are and
what would happen if they become unavailable.
Is your biggest risk the loss of intellectual property,
reputational damage or loss of customer confidence?
At the end of the day, I am trying to understand: If I
were to fix one thing today, what would I do that reduces
risk the most? Stolte says. If I were to fix 100 things
today, what would those be and why?
START SMALL
When implementing a cyberthreat intelligence practice,
it is easy to get overwhelmed, Podborny observes. Dealing
with threat intelligence data can be like drinking from a
fire hose unless you have a good process in place for con-
suming and acting upon the information that is pouring
in from internal and external sources.
 T H R E AT IN T E L L IG E NC E O VE RLO AD

Try to get some wins and You need to be able to parse out the data to a point
HOME
successes first, he says. Figure where you are able to see if it is enough to be actionable
EDITORS DESK out how you are going to bring in or if it just an FYI, Podborny notes. A big piece of threat
threat data and what you are go- intelligence is about correlating data and trying to take
HIGH-STAKES ROLE: ing to do with it so you can learn proper action against it.
SCOTT HOWITT
from the process and then build Threat feeds and services that support information
GLOBAL CISO: from there. sharing specifications, such as Structured Threat Informa-
TIM CALLAHAN
Bill Podborny
A win would be: You are able tion eXpression (STIX) and Trusted Automated eXchange
REPORT: to be proactive about any specific of Indicator Information (TAXII), represent information
CYBERSECURITY event that could have happened to you, or where you can in a standard format and are easier to automate and share
CAREER DATA
prove it could have happened to you, if the event never than nonstandardized data.
THREAT occurred, Podborny says. Enterprises are learning that technology alone isnt
INTELLIGENCE
OVERLOAD
The key to implementing a cyberthreat intelligence enough when it comes to a successful threat intelligence
program is not to let great come in the way of good, Stolte program, according to Digital Shadows Holland.
RANUM Q&A: notes. Technology must enable and expedite the analysis of
ANAHI SANTIAGO
Dont get ahead of yourself, he says. Plan for what humans.
SHACKLEFORD: you are going to do. Turn on some data first. Make sure We are starting to see more traction with standards
OWNERSHIP OF RISK you are getting results and you are able to take action on like Structured Threat Information eXpression, which is
those results, he adds, before rolling out the program pushing threat intelligence players to all speak the same
enterprise-wide. language, he says. This will enable defenders to prevent,
detect and respond to adversaries with more agility. n
STICK WITH STANDARDS
Pay attention to emerging technologies and standards. JAIKUMAR VIJAYAN is a freelance writer with over 20 years of
The success of your threat intelligence program depends experience covering the information technology industry. He is
on your ability to ingest data and act upon it either in an a frequent contributor to Christian Science Monitor Passcode,
automated fashion or through manual sorting. eWEEK, Dark Reading and several other publications.

18 INFORMATION SECURITY n DECEMBER 2016

 H E A LT H CA R E L E A D E R

A CISO of a Major Healthcare

System Looks Back
HOME

EDITORS DESK

HIGH-STAKES ROLE: Anahi Santiago of Christiana Care Health System has spent much of her career in
SCOTT HOWITT
healthcare information security. We are under attack, she says. BY MARCUS RANUM
GLOBAL CISO:
TIM CALLAHAN

REPORT:
CYBERSECURITY
CAREER DATA

THREAT
INTELLIGENCE
MARCUS RANUM: Lets start with the beginning!
OVERLOAD
How did you get into security?
RANUM Q&A: ANAHI SANTIAGO: I had the benefit of working in project
ANAHI SANTIAGO
management for a systems and technology company, and
SHACKLEFORD: I led a lot of large international infrastructure projects.
OWNERSHIP OF RISK That gave me access to all kinds of technology: systems,
databases, web technology, programming, servers, you
name it. Every single one of them had a security compo-
nent. I started to gravitate toward the security part of it
and got to pick security as the thing that I wanted to do.
Its rare for someone to gravitate toward security,
which is why I think the security aspects of many proj-
ects get neglected. Does that match your experience?
I think the company I was working for was pretty good
about that. This was over a decade ago, but they took
security seriously and baked it into all the projects that
they did. They had a very in-depth security approach and
a good team that taught me the trade.
So you got exposed to security being done right.
A lot of people came at it the other wayfinding flaws
and fixing screw-ups. Theyre 90% of the way into a
project, and someone says, Oh we forgot about that
stuff.
Every project plan I did had a security component; [each]
architecture had security in it. There were standards,
policies and procedures established from the beginning,
so it was really easy for me to consume all of this infor-
mation and understand it to the level that I was able to
adopt it. And I took that approach when I went to health-
care as a field.

19 INFORMATION SECURITY n DECEMBER 2016

 H E A LT H CA R E L E A D E R
I know theres a tremendous amount of focus on health-
HOME
care information security right now. Back in the 80s,
EDITORS DESK when I worked at a large hospital in Baltimore, informa-
tion security in healthcare really wasnt on anyones ra-
HIGH-STAKES ROLE: dar at all. Is that changing?
SCOTT HOWITT
It is! I started in healthcare information security and got
GLOBAL CISO: my first information security officer jobwith a different
TIM CALLAHAN
healthcare networkin 2005. At that time, I was the only
REPORT: security person. I was hired in January, the security role
CYBERSECURITY came into effect in April, and HIPAA is the reason that I
CAREER DATA
was hired.
THREAT I was able to build a program with a lot of support
INTELLIGENCE
OVERLOAD
from the organization, which was great. I worked there
for 10 1/2 years and was able to see the industry progress
RANUM Q&A: and adopt security as a whole. For probably a year before
ANAHI SANTIAGO
I left, I would get a call from recruiters at least once
SHACKLEFORD: a week: Big, reputable healthcare organizations were
OWNERSHIP OF RISK looking for their first CISO. That was very eye-opening.
Its still happening, but less so. There are still a lot of
organizations that are building programs and lack a senior
leader in security.
Would you say that HIPAA has been largely beneficial?
I think that it was controversial at first.
The HIPAA security rule of 2005 was mildly effective in
my opinion. HITECH was passed in 2009, and the sub-
sequent omnibus rules and breach notification rules
where HIPAA was given more teeththat was when
20 INFORMATION SECURITY n DECEMBER 2016
organizations started to pay attention. When the Of-
fice for Civil Rights started to levy significant fines, thats
when people started to really get serious about security.
A few years ago, I would have said that healthcare
information security was the worst for a long time,
but now government has probably surpassed medical
as the worst.
Education is still pretty behind. One would have thought
[government] was on the leading edge with FISMA [the
Federal Information Security Management Act], but were
now learning that theyre not as good as they seemed.
Many security people are both intuitive and organized
or someone organizes for themand that often
produces unorthodox characters. What strengths or
weaknesses have supported your career?
I have a degree in electrical [and] computer engineering.
Thats where all the analytical and methodical skills
come from: all those ones and zeros. My concentration
in college was robotics, and I really wanted to design
robotsI thought that the math was fascinating. But then
I discovered that Im a people person, and the idea of
sitting behind a keyboard, in a trance, wasnt for me. So I
moved away from engineering and into IT so Id have the
people aspects but still be able to tap into the fascination
with technology that I have. The combination of people
skills and technical skills has enabled me to transition
 H E A LT H CA R E L E A D E R
into what [a CISO is] nowa forward-thinking, business-
HOME
enabling technologist.
EDITORS DESK
I used to read this magazine, Circuit Cellar, written
HIGH-STAKES ROLE: by a guy named Steve Ciarcia [an embedded controls
SCOTT HOWITT
systems engineer]. He had a tagline that read, My fa-
GLOBAL CISO: vorite programming language is solder. I was talking
TIM CALLAHAN
with someone about that at a conference, and Dan
REPORT: Geer wandered by, overheard me, ducked in, and said,
CYBERSECURITY My favorite programming language is people. I think
CAREER DATA
thats a pretty good summary of the CISOs job. Were
THREAT you interested in robotics as a child?
INTELLIGENCE
OVERLOAD
I wanted to go into aerospace engineering. I decided that
was what I wanted to do when I was 13 years old. Both of
RANUM Q&A: my parents are scientistsPh.D.s who taught for all of
ANAHI SANTIAGO
their lives. I just grew up loving math and the sciences.
SHACKLEFORD: But right as I started college, the aerospace industry
OWNERSHIP OF RISK fell apart. My parents told me, Go to school for electri-
cal engineering. There is a lot of electrical engineering in
aerospace and you can get a job in other disciplines. If you
just focus on aerospace, you may have trouble getting into
other disciplines.
Once I started my degree in electrical engineering, I
also got interested in computers, so I got a dual degree. I
loved signals and controls, imaginary and complex num-
bers, things that are intangible but become useful when
you apply them. Combine them all and you get robot-
ics. I do remember having a lot of respect for one of my
21 INFORMATION SECURITY n DECEMBER 2016
professors who taught robotics,
and Im sure that was an influ-
ence as well.
Project management is what got
you interested in security, but
how did you wind up interested
Anahi Santiago
in project management? Theres
a very specific set of skills that
are necessary for that. How did you develop them?
Organically. I was hired into a contractor/consulting
companys engineering and testing lab, and my initial
role was to take off-the-shelf applications and make them
fit the companys security model. I was a project team
member and became better versed in the technology and
have always had pretty good leadership skills, so I started
taking action on projects that werent progressingand
naturally moved into project management.
What can a modern CISO do to make the state of
medical informatics better? Weve got devices that have
to be certified, so they cant be upgraded easily, but they
have to be in patient-accessible areas. There are some
basic conflicts there, and computing is just going to
keep getting more important.
There are two parts to that question: What can a CISO do
internally within their own organization? And what can
a CISO do to effect change in the industry? Our role is to
 H E A LT H CA R E L E A D E R

do both! And they understand that. Then they start to listen to why
HOME
Internally, it really starts with education. People are security is integral to the continuum of care.
EDITORS DESK the most important asset in any information security On the second piece, as healthcare leaders, we need
programit starts with educating people about the risks to collaborate and share information as well as be active
HIGH-STAKES ROLE: and helping them [to] understand how that ties to patient with the regulators. We need to build bridges and com-
SCOTT HOWITT
safety. At the end of the day, they live and breathe patient munities: Healthcare is under attack. We are the single
GLOBAL CISO: care, and they will do anything to have good outcomes most attacked industry in the U.S. right nowthere are
TIM CALLAHAN
and make patients lives better. If you can connect a vast number of reasons for thatso we have to build
REPORT: information security to patient safety, you can now economies of scale by talking to each other about our
CYBERSECURITY connect to your clinicians in language they understand. needs. Hackers are very collaborative, and as leaders in
CAREER DATA
When I talk to them about clinical devices that are on healthcare information security, we need to start doing
THREAT old, unsupported operating systems that are measuring the same. We have a great healthcare information security
INTELLIGENCE
OVERLOAD
some critical data about a patient, [I] have to bring community here in the Philadelphia area. We need that at
integrity into the picture: Do you really have the right a national level. n
RANUM Q&A: information?
ANAHI SANTIAGO
I talk to them about ransomware and how if we dont MARCUS J. RANUM, the chief of security at Tenable Network
SHACKLEFORD: apply good data hygiene and we are infected, you could Security Inc., is a world-renowned expert on security system design
OWNERSHIP OF RISK potentially not have access to your clinical information and implementation. He is the inventor of the first commercial
when you need it. It puts patient lives potentially at risk. bastion host firewall.

22 INFORMATION SECURITY n DECEMBER 2016

 T H E H Y B R ID L IF E

Its Time to Clarify Ownership

of Cloud Risk
HOME

EDITORS DESK

HIGH-STAKES ROLE: Business leaders sign off on cloud but fail to understand their accountability.
SCOTT HOWITT
BY DAVE SHACKLEFORD

C
GLOBAL CISO:
TIM CALLAHAN

REPORT:
CYBERSECURITY
CAREER DATA

THREAT
INTELLIGENCE
OMPANIES WANT TO use cloud-based
OVERLOAD
services and applications; thus, security
RANUM Q&A: teams need to assess the risk and come
ANAHI SANTIAGO
up with controls that work in cloud
SHACKLEFORD: environments. Sounds simple, right?
OWNERSHIP OF RISK Securing cloud assets presents numerous challenges,
howeverfrom controls that dont translate well to lack
of transparency from cloud providers. And one of the
most pressing concerns sits squarely with the CISO:
pushing for more ownership of cloud risks within the
business.
CISOs juggle a lot of security responsibilities,
including overseeing technical project teams and
communicating cloud risks and possible resolutions to
other executives and board members. Unfortunately, its
a common misperception that the information security
organization owns the risks of IT projects, whether on
premises or in the cloud. For CISOs trying to be flexible
and amenable to rapidly changing and competitive
business requirements, its all too easy to gloss over this
issue when discussing cloud providers, security controls
and deployment scenarios with other stakeholders.
The time has come for security officers to steer the
conversation toward risk assessment and review so that
business owners actually understand the cloud risks
presented and sign off on themnot the information
security organization.
MATURE RISK ASSESSMENT
In many organizationsat least, the ones I work with
security teams are still struggling to develop and imple-
ment mature risk assessment and review processes for

23 INFORMATION SECURITY n DECEMBER 2016

 T H E H Y B R ID L IF E

cloud projects. The reasons are manynot enough re-
HOME
sources on the security team, apathy from management,
EDITORS DESK slow adoption of changes, pushback from DevOps teams
and more. Buy-in from vendor management and procure-
HIGH-STAKES ROLE: ment teams, with involvement from legal teams, is also
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
Security officers should ensure
REPORT:
CYBERSECURITY that the business leaders realize
CAREER DATA
that they do, in fact, own these
THREAT risks.
INTELLIGENCE
OVERLOAD
RANUM Q&A: critical in properly evaluating risk in contracts. Security
ANAHI SANTIAGO
officers should balance the input and involvement from
SHACKLEFORD: all of these teams to provide objective recommendations
OWNERSHIP OF RISK regarding cloud risks. Its important to ensure business
leaders understand the following:
Moving assets to the cloud does not in any way
absolve the organization of responsibilities in
protecting systems, applications and data.
Cloud providers are not wholly transparent in
disclosure of security controls and internal security
practices and processes. Any discussion of risk, as well
as acceptance of risk, must come with the caveat that
all stakeholders will likely be making decisions with
limited information.
Compliance requirements will need to be carefully
reviewed prior to any cloud deployment, and this will
require extra resources and time. In addition, for data
governed by compliance and regulatory statutes, any
cloud provider selected will have to meet all necessary
requirements.
Legal
and vendor management teams will need to
review any contract language carefully, requiring
additional resources and time. Any new cloud service
provider will have to be thoroughly scrutinized before
business units sign up for applications and services.
Thereis a high likelihood that not all in-house
security controls and processes will work in the cloud
environment, which may jeopardize compliance status
or increase cloud risks significantly.
Additional products and services may be necessary to
help create parity with the organizations current in-
house security status. Reviewing options will take time
and resources, and its highly likely that additional costs
will be incurred to ensure coverage in the cloud. This
cost will also need to be accommodated within any
financial and pricing projections cloud teams propose.

24 INFORMATION SECURITY n DECEMBER 2016

 T H E H Y B R ID L IF E

CLOUD SECURITY POLICY Compliance mandates that need to be addressedif

HOME
In any organization, the board and CEO will ultimately
EDITORS DESK own any risks new IT projects bring and will be held
responsible for any breaches or compromise scenarios
HIGH-STAKES ROLE: that arise from decisions. However, security officers
SCOTT HOWITT
should ensure that the business leaders realize that
GLOBAL CISO: they do, in fact, own these risks; all too often, the
TIM CALLAHAN
perception is that the data custodiansusually IT
REPORT: teamsare responsible for cloud risks incurred during
CYBERSECURITY new projects. An excellent starting point to remedying
CAREER DATA
this misconception is to develop a comprehensive cloud
THREAT security policy that includes the following:
INTELLIGENCE
OVERLOAD
A clearly stated executive sponsor: Without an
RANUM Q&A: executive sponsor or group, its unlikely that a cloud
ANAHI SANTIAGO
policy will have enough support to be enforced
SHACKLEFORD: throughout the organization. The cloud security policy
OWNERSHIP OF RISK should also include some statement as to who will sign
off for cloud projects. Is this the CIO?
Data types and classifications that are allowed in the
cloud and those that arentor what controls or addi-
tional measures are needed first.
any.
CISOs should ensure that use of cloud computing
services complies with all current laws; IT security
best practices, standards and requirements; and risk
management policies. The same goes for all privacy
laws and regulations. Its important to make sure that
an executive or team explicitly signs off on all use of
cloud computing and that they are properly informed
with documented cloud risk assessment results. Until
this process is accepted within the organization, true
risk ownership wont reside where it should on cloud
projectswith the senior executives and data owners. n
DAVE SHACKLEFORD is the owner and principal consultant of
Voodoo Security LLC; lead faculty at IANS; and a SANS analyst,
senior instructor and course author. He previously worked as CSO
at Configuresoft; CTO at the Center for Internet Security; and as
a security architect, analyst and manager for several Fortune 500
companies. He currently serves on the board of directors at the
SANS Technology Institute and helps lead the Atlanta chapter
of the Cloud Security Alliance.

25 INFORMATION SECURITY n DECEMBER 2016

 TechTarget Security Media Group

EDITORIAL DIRECTOR Robert Richardson EDITORIAL BOARD

HOME Phil Agcaoili, Cox Communications

FEATURES EDITOR Kathleen Richards
Seth Bromberger, Energy Sector Consortium
EDITORS DESK
MANAGING EDITOR Brenda L. Horrigan Mike Chapple, Notre Dame
HIGH-STAKES ROLE:
SITE EDITOR Robert Wright Brian Engle, Health and Human Services Commission, Texas
SCOTT HOWITT
Mike Hamilton, MK Hamilton and Associates
SITE EDITOR Peter Loshin
GLOBAL CISO: Chris Ipsen, State of Nevada
TIM CALLAHAN Nick Lewis, Saint Louis University
DIRECTOR OF ONLINE DESIGN Linda Koury
Rich Mogull, Securosis
REPORT: MANAGING EDITOR, E-PRODUCTS Moriah Sargent
CYBERSECURITY Tony Spinelli, Equifax
CAREER DATA
COLUMNISTS Marcus Ranum, Dave Shackleford Matthew Todd, Financial Engines

THREAT MacDonnell Ulsch, PwC U.S.

CONTRIBUTING EDITORS Kevin Beaver, Crystal Bedell, Mike Chapple,
INTELLIGENCE
OVERLOAD Michele Chubirka, Michael Cobb, Scott Crawford, Peter Giannoulis, VICE PRESIDENT/GROUP PUBLISHER Doug Olender
Francoise Gilbert, Joseph Granneman, Ernest N. Hayden, David Jacobs, dolender@techtarget.com
RANUM Q&A: Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer,
ANAHI SANTIAGO Ben Rothke, Mike Rothman, Karen Scarfone, Joel Snyder, Steven Weil,
Ravila Helen White, Lenny Zeltser Stay connected! Follow @SearchSecurity today.
SHACKLEFORD:
OWNERSHIP OF RISK

2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written
TechTarget
permission from the publisher. TechTarget reprints are available through The YGS Group.
275 Grove Street,
Newton, MA 02466 About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick
access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and
www.techtarget.com
virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community,
you can get advice and share solutions with peers and experts.

COVER IMAGE: SORBETTO/ISTOCK

26 INFORMATION SECURITY n DECEMBER 2016