Information Security Leader, Author, Instructor and Speaker

DHS’s CDM Program Moves to the Next Phase: Protection

From Russian and Chinese hackers to WikiLeaks and North Korea, nefarious actors have long targeted federal systems, looking to steal sensitive national security information and disrupt government activities. But as agencies answered these threats, IT shops found they simply didn’t have the technical tools or sophistication to defend themselves.

Published October 2017 in FedTech Magazine.

Read the full article: DHS’s CDM Program Moves to the Next Phase: Protection

Posted in Articles | Tagged | Leave a comment

Find Your Footing in Cloud Security with CCSK

The cloud is here to stay. Organizations of all sizes and industries are turning to cloud services as a flexible, agile alternative to building expensive data centers, maintaining silos of technical expertise, and overprovisioning capacity to meet future demand.

Gartner recently estimated that the cloud computing industry will grow at an 18 percent rate in 2017, reaching a total market size of $246 billion dollars. There’s no sign that the adoption of cloud services is slowing down, and a quick search of technical job descriptions shows that technologists with experience on cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, Salesforce, Workday, and other similar services are in high demand.

At the same time, however, that organizations are turning to the cloud to achieve cost savings, improve their agility and drive flexibility in computing, they also remain concerned about the security of data stored and processed in the cloud. Turning over responsibility for handling data at any layer of the cloud computing stack raises the eyebrows of security professionals and calls for a different kind of expertise than securing traditional environments.

Published June 26, 2017 on

Read the full story: Find Your Footing in Cloud Security with CCSK

Posted in Articles | Leave a comment

Solving the cybersecurity staffing shortage

Cybersecurity is at a critical juncture. Organizations around the world increasingly recognize the importance of cybersecurity to their reputation and ongoing operations, driven by mainstream media reports about breaches. This recognition results, in many cases, in an increased desire to hire skilled cybersecurity professionals to protect systems and information assets.

This renewed interest in cybersecurity talent also is creating a significant skills gap, a cybersecurity staffing shortage, as employers struggle to stand out among the pack and recruit talented professionals to fill their open positions. Recent research confirms that this trend exists and that organizations are truly struggling to fill positions.

Information security industry association (ISC)² released its Global Information Security Workforce Study in February. This study surveyed more than 19,000 security professionals and projects that there will be a gap of 1.8 million cybersecurity experts over the next five years. That gap represents a 20 percent increase from the 1.5 million shortfall predicted by the same study last year — and provides quantitative evidence of the anecdotal pain felt by hiring managers around the world.

Published June 5, 2017 on

Read the full story: Solving the cybersecurity staffing shortage

Posted in Articles | Leave a comment

IDC PlanScape: Deploying Multifactor Authentication

“Multifactor authentication is a time-tested approach that is finally coming of age,” says Mike Chapple, adjunct analyst with IDC’s IT Executive Programs (IEP). “Organizations recognize that they face an increasing threat from the compromise of password-based credentials; knowledge-based authentication simply doesn’t provide an adequate level of protection against those threats. Push-based authentication using smartphones is both simple for end users and cost-effective for the organization.”

IDC Research Report published May 2017.
Read the full report: IDC PlanScape: Deploying Multifactor Authentication

Posted in White Papers | Tagged | Leave a comment

Keep Your Campus Both Smart and Secure as IoT Expands

The Internet of Things is taking college campuses by storm. From a Google Home in a professor’s office to a control system in a campus power plant, IoT devices are rapidly spreading, with no sign of slowing down. Within three years, analysts project, IoT devices may outnumber traditional computing devices by a 2-to-1 ratio. These devices offer diverse benefits, but they also introduce new security concerns.

In fall 2016, hackers drove these concerns home when they harnessed thousands of video cameras and other IoT devices to conduct the largest distributed denial of service (DDoS) attacks in internet history. Those attacks highlighted the question of IoT security in the minds of many IT leaders. Campuses should learn from this experience and take steps to keep their networks secure in the IoT era.

The Changing Connected Campus

IoT devices aren’t entirely new. Colleges often deploy sensors for physical plants that transmit data about temperature, humidity and other issues to centralized control systems, which use this data to optimize functionality. Such devices were once hard-wired to control systems, but many institutions now connect them to the network.

Published April 17, 2017 on

Read the full story: Keep Your Campus Both Smart and Secure as IoT Expands

Posted in Articles | Leave a comment

4 Ways to Use Context-Aware Security for Maximum Advantage

Professionals at higher education institutions make context-aware security decisions every day. A security guard decides which visitors to allow on campus based on a quick assessment of vehicles and their drivers. Cybersecurity teams decide to allow or deny exceptions to endpoint security policies based on the nature of a device and the types of information it handles. The world of context-aware security seeks to automate these decision-making processes, bringing the world of analytics to bear on the problems of cybersecurity.

Context-aware security — the use of supplemental information to improve security decisions — holds great promise for the future of higher education cybersecurity. Institutions that start with the fundamentals and focus on high-value targets will reap the greatest rewards from this investment. Analysts will be able to dig deeper into security data with less time and effort, uncovering the relevant needles in the security data haystacks.

1. Begin with the Security Fundamentals

Context-aware security requires context. That’s not a startling conclusion, but it’s an area where many institutions fall short. Security decisions that are both contextual and wise require deep information about users and data. Before embarking on a context-aware security initiative, make sure you have a robust identity and access management infrastructure capable of providing useful attributes about individuals. For example, security products must be able to identify a person’s status — faculty member, student or administrator — and, preferably, his or her department.

Published March 29, 2017 on

Read the full story: 4 Ways to Use Context-Aware Security for Maximum Advantage

Posted in Articles | Leave a comment

Half-a-billion reasons not to use free e-mail

On September 26, 2016, Yahoo! announced to the world that they were the victim of the largest systematic account compromise in the history of the Internet. Attackers managed to penetrate Yahoo!’s network as early as 2014 and steal account information belonging to more than 500 million Yahoo! users.

News of the breach at Yahoo! rocked the cybersecurity world as use of the service is so widespread, ranging from hosting personal e-mail accounts on the domain to managing thousands of fantasy football, baseball, and basketball leagues on their servers, and hosting millions of photographs through their Flickr service.

Indeed, it’s hard to imagine an American Internet user who hasn’t had some need to create a Yahoo! account over the past decade.

Published February 21, 2017 on

Read the full story: 3 Tips for Feds Looking to Ditch Old Datasets

Posted in Articles | Leave a comment

3 Tips for Feds Looking to Ditch Old Datasets

The digital universe is expanding at a staggering rate as government agencies, businesses and citizens generate troves of data each day. The McKinsey Global Institute estimated in December that the United States possesses more than two zettabytes of information — equivalent to 2 trillion gigabytes.

Such growth creates opportunities for innovation but poses challenges to federal agencies seeking to comply with data retention requirements. What’s more staggering? That number likely will double every three years.

IT officials should pay attention to their organization’s electronic activities and ensure they stay within the bounds of federal records laws and regulations.

Published February 16, 2017 on

Read the full story: 3 Tips for Feds Looking to Ditch Old Datasets

Posted in Articles | Leave a comment

Still got it: CISSP certification a must for aspiring security professionals

Rumors of the Certified Information Systems Security Professional (CISSP) certification’s demise are greatly exaggerated. In January 2015, I published an article on this site titled CISSP: The crown jewel of security certifications, in which I argued that the CISSP credential was the cybersecurity field’s premier certification.

At the time, I said that getting CISSP certified is “an almost mandatory rite of passage in the career of information security specialists and a prerequisite for many advanced roles in the profession.” Much has changed in the security certification landscape over the intervening two years, but I stand by my assessment today.

Just looking at sheer numbers, the CISSP continues to thrive. Two years ago, there were just over 99,000 CISSP credential holders worldwide. Today, there are more 111,000 CISSP-certified cybersecurity professionals. That’s at least 12 percent growth during the period of time that some assert the CISSP was in decline as a certification.

Published December 20, 2016 on

Read the full story: Still got it: CISSP certification a must for aspiring security professionals

Posted in Articles | Leave a comment

Managed security providers: What’s new?

The managed security service provider market has grown recently, with providers adding both new customers and new services designed to respond to the changing cybersecurity threat landscape. Let’s look at two areas of note: the way that organizations evaluate managed security service providers, or MSSPs, and the types of services they can offer.

Evaluating managed security providers

The MSSP landscape is more crowded today than it was just three years ago, when I wrote about what was then an emerging world. The most recent Forrester Wave report identified 11 major MSSPs, but those large providers are only the tip of the iceberg: Many smaller firms occupy niche portions of the managed security space. This makes it extremely important that organizations critically evaluate the competitive offerings of MSSP candidates.

I originally suggested that organizations ask three questions of their enterprise as they consider whether to evaluate, and how to choose from, the many managed security providers in the market:

Published December 14, 2016 on

Read the full story: Managed security providers: What’s new?

Posted in Articles | Leave a comment

Mike Chapple, CISSP, Ph.D.

Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.

Full Biography