Information Security Leader, Author, Instructor and Speaker

HIPAA Controls Don’t Do Enough for Privacy and Security

The authors of the HIPAA wrote a law designed to protect the security and privacy of health information in many different locations. They identified healthcare providers, insurance companies and health information clearinghouses as the most likely places where protected information would reside and imposed requirements that covered entities must protect that information.

Today, Fitbits and other fitness trackers, like the Apple Watch and HealthKit, and online communities offer individuals the possibility to engage far more in managing their own health, generating additional personal health information. The authors of HIPAA never imagined this new world of consumer health technology and, as such, HIPAA generally does not apply in these cases.

The holes in HIPAA controls stem from the definition of HIPAA-covered entities. These entities fall into three categories: healthcare providers, health insurers and health information clearinghouses. HIPAA also covers the business associates of covered entities that exchange information with covered entities. Consumer health companies normally do not fit into these categories. For example, the maker of a fitness tracking device doesn’t provide medical care to a patient or receive information from a medical professional, so there is no HIPAA-covered relationship.

Published September 24, 2016 on

Read the full story: HIPAA Controls Don’t Do Enough for Privacy and Security

Posted in Articles | Tagged , | Leave a comment

Closing the Cybersecurity Generation Gap

Businesses around the world find their workforces increasingly divided along generational lines.  As the Boomer generation nears retirement, they find themselves in leadership positions managing a workforce composed of Millennials who approach the workplace with completely different attitudes.  In the realm of cybersecurity, several recent studies found that this tech-savvy generation is surprisingly naïve when it comes to protecting personal and corporate information.

In a mobile device security survey conducted by Absolute Software, 25% of members of the Millennial generation responded that they believe their digital behavior compromises the security of their organization.  That’s a shocking number by itself but it becomes even more surprising when compared to the 5% of Boomers who reported similar behavior.  This huge generational divide requires attention from security professionals who will want to design security programs to compensate for these differences.  Let’s look at five ways that organizations can tailor security controls to bridging the generational cybersecurity divide.

Read the full article: Closing the Cybersecurity Generation Gap

Published August 24, 2016 in BizTech Magazine

Posted in Articles | Tagged , , , | Leave a comment

Hacking Small Companies is Big Business

Information security often takes a backseat to other issues that small business owners face. With more immediate concerns, such as shipping products or pursuing overdue accounts,business owners can likely dismiss information security concerns as applying only to larger organizations.

It’s easy to think that a small business can remain below the radar of attackers and neglect security controls. Unfortunately, the facts do not support that idea.

When it comes to information security, no business is too small. Small businesses increasingly find themselves the focus of attacks directly targeted against them and designed to steal funds, information and customers.

Read the full story: Hacking Small Companies is Big Business

Published July 27, 2016 in BizTech Magazine

Posted in Books | Leave a comment

Six Most In-Demand New Cybersecurity Certifications

Cybersecurity is one of the hottest fields in information technology and skilled cybersecurity professionals are in high demand. Threats to enterprise security evolve constantly and organizations require increasingly skilled specialists with the knowledge required to combat those threats. As the cybersecurity field becomes increasingly specialized, industry is responding with a series of niche certification programs designed to demonstrate an individual’s qualifications to fill these new positions.

For job candidates, cybersecurity specializations can be extremely rewarding. A recent Certification Magazine salary survey ranked the top IT certification programs and five of the top ten certifications cover cybersecurity issues and command salaries of around $140,000. Let’s take a look at six of the most in-demand cybersecurity certifications that reached the marketplace in the past five years.

Read the full article: Six Most In-Demand New Cybersecurity Certifications

Published July 1, 2016 in Certification Magazine

Posted in Articles | Tagged , | Leave a comment

10 Things Your Business Manager Wishes You Knew

Fortunately, the business managers who support IT organizations want to see those organizations succeed and make deep contributions to their institution’s teaching, research, and service missions. In a series of interviews, business managers from the University of Washington, Muhlenberg College, and the University of Notre Dame offered 10 critical pieces of knowledge about institutional business operations that they consider critical success factors for technology managers. Let’s take a look at the 10 things that your business manager wishes you knew.

Read the full article: 10 Things Your Business Manager Wishes You Knew

Published June 29, 2016 in EDUCAUSE Review

Posted in Articles | Tagged , | Leave a comment

App container, app wrapping and other emerging mobile security tactics

The flood of personal devices entering organizations through both formal bring your own device programs and informal use of personal technology poses a significant risk to enterprise security. While organizations traditionally relied upon mobile device management (MDM) technology to control both the apps installed on mobile devices and the security configurations of the device operating system, this approach does not offer the flexibility necessary for bring your own device (BYOD) models. Users do not want clunky corporate software that intrudes into their personal use of technology, and enterprise IT departments don’t want the support burden the comes along with such heavy-handed management. An app container and application wrapping are emerging as more BYOD-friendly solutions to the mobile security challenge.

Read the full article: App container, app wrapping and other emerging mobile security tactics

Published June 29, 2016 on

Posted in Articles | Tagged , , | Leave a comment

Rule 41: What does it mean for enterprises?

The Federal Rules of Criminal Procedure (FRCP) govern the criminal trials that take place in all federal courts around the nation.  While these rules are often quite dry and don’t often contain controversial provisions, they are extremely important to the conduct of criminal trials and contain the procedural rules that govern not only the conduct of a trial but also the conduct of law enforcement personnel who gather evidence that may be used at trial.

On April 28th, the U.S. Supreme Court submitted proposed amendments to the FRCP that cover a variety of changes to criminal trial procedures.  One of those in particular is of great interest to information security and privacy experts.  Rule 41 governs the search and seizure of evidence that may be used in a criminal proceeding.

Read the full story: Rule 41: What does it mean for enterprises?

Published June 21, 2016 on

Posted in Articles | Tagged , | Leave a comment

Information Security Management: Making the Leap

If you’re looking for a career path that allows you to exercise both leadership and technical skills, technology management may be an appropriate path for you.  In particular, technology professionals with a security background will find that information security management offers the combination of a challenging work environment with a potentially lucrative career in a high-demand field.  Succeeding as an information security manager requires a unique blend of technical, leadership and social skills but offers tremendous rewards to those who make the cut.

Organizations around the world struggle constantly with security challenges and one need look no farther than the evening news to see evidence.  Major security breaches have rocked both the public and private sectors in recent years and Congress finds themselves grappling with thorny legislative issues that seek to balance national security interests with those of information security.  As organizations seek to thrive in this murky environment, they require strong leadership for their information security and compliance functions.  As with many technical disciplines, they often find it challenging to attract highly qualified talent to their information security management positions because there is a relatively small pool of qualified individuals who are in great demand.  This combination of circumstances offers great opportunity to those seeking a career in security leadership.

Read the full article: Information Security Management: Making the Leap

Published May 23, 2015 in Certification Magazine

Posted in Articles | Tagged , , , | Leave a comment

What’s Next for Encryption Legislation?

The legal battle between the FBI and Microsoft this spring brought encryption into the public spotlight in a major way for the first time.  While cybersecurity and law enforcement professionals have long debated issues over key escrow and access to encrypted information, these debates were never part of the greater public discourse until now.  Although the FBI dropped their request for access to the phone in the San Bernardino case, that tactical move merely kicked the can down the road.

In the wake of the FBI’s attempt to access the San Bernardino iPhone, legislatures at the federal and state level have all threatened to take up the issue, with legislators introducing bills that seek to address this challenge.  It’s likely that we will continue to see legislative wrangling over encryption issues this summer and fall.

Read the full story: What’s Next for Encryption Legislation?

Published May 17, 2016 on

Posted in Articles | Tagged , | Leave a comment

Securing the Internet of Things

Browse the shelves of your local home improvement or appliance store and you likely won’t be able to move two steps before encountering a device bearing the adjective “smart.”  From televisions and microwaves to toothbrushes and sprinkler systems, almost every conceivable consumer device comes with WiFi or Bluetooth connectivity.  While exciting, the Internet of Things also introduces a whole new world of security risks, providing hackers with millions of new targets for their nefarious activities.  A recent IDC report predicted that 90% of all networks will experience an IoT-related security breach by the end of 2016.  That’s a sobering statistic!

IoT devices aren’t just popping up in homes – they’re also appearing in offices and on factory floors.  In some cases, these are the results of well-planned IT projects designed to improve automation or facilitate data collection.  In other cases, well-meaning employees may simply plug an IoT device into an available network port without recognizing the risks such a device might pose to enterprise security.  Security and networking professionals must understand the scope of IoT efforts within their organization along with the tools and techniques at their disposal to help protect against this threat.

Read the full story: Securing the Internet of Things

Published April 27, 2016 in Certification Magazine

Posted in Articles | Tagged | Leave a comment

Mike Chapple, CISSP, Ph.D.

Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.

Full Biography