Information Security Leader, Author, Instructor and Speaker

Keep Your Campus Both Smart and Secure as IoT Expands

The Internet of Things is taking college campuses by storm. From a Google Home in a professor’s office to a control system in a campus power plant, IoT devices are rapidly spreading, with no sign of slowing down. Within three years, analysts project, IoT devices may outnumber traditional computing devices by a 2-to-1 ratio. These devices offer diverse benefits, but they also introduce new security concerns.

In fall 2016, hackers drove these concerns home when they harnessed thousands of video cameras and other IoT devices to conduct the largest distributed denial of service (DDoS) attacks in internet history. Those attacks highlighted the question of IoT security in the minds of many IT leaders. Campuses should learn from this experience and take steps to keep their networks secure in the IoT era.

The Changing Connected Campus

IoT devices aren’t entirely new. Colleges often deploy sensors for physical plants that transmit data about temperature, humidity and other issues to centralized control systems, which use this data to optimize functionality. Such devices were once hard-wired to control systems, but many institutions now connect them to the network.

Published April 17, 2017 on

Read the full story: Keep Your Campus Both Smart and Secure as IoT Expands

Posted in Articles | Leave a comment

4 Ways to Use Context-Aware Security for Maximum Advantage

Professionals at higher education institutions make context-aware security decisions every day. A security guard decides which visitors to allow on campus based on a quick assessment of vehicles and their drivers. Cybersecurity teams decide to allow or deny exceptions to endpoint security policies based on the nature of a device and the types of information it handles. The world of context-aware security seeks to automate these decision-making processes, bringing the world of analytics to bear on the problems of cybersecurity.

Context-aware security — the use of supplemental information to improve security decisions — holds great promise for the future of higher education cybersecurity. Institutions that start with the fundamentals and focus on high-value targets will reap the greatest rewards from this investment. Analysts will be able to dig deeper into security data with less time and effort, uncovering the relevant needles in the security data haystacks.

1. Begin with the Security Fundamentals

Context-aware security requires context. That’s not a startling conclusion, but it’s an area where many institutions fall short. Security decisions that are both contextual and wise require deep information about users and data. Before embarking on a context-aware security initiative, make sure you have a robust identity and access management infrastructure capable of providing useful attributes about individuals. For example, security products must be able to identify a person’s status — faculty member, student or administrator — and, preferably, his or her department.

Published March 29, 2017 on

Read the full story: 4 Ways to Use Context-Aware Security for Maximum Advantage

Posted in Articles | Leave a comment

Half-a-billion reasons not to use free e-mail

On September 26, 2016, Yahoo! announced to the world that they were the victim of the largest systematic account compromise in the history of the Internet. Attackers managed to penetrate Yahoo!’s network as early as 2014 and steal account information belonging to more than 500 million Yahoo! users.

News of the breach at Yahoo! rocked the cybersecurity world as use of the service is so widespread, ranging from hosting personal e-mail accounts on the domain to managing thousands of fantasy football, baseball, and basketball leagues on their servers, and hosting millions of photographs through their Flickr service.

Indeed, it’s hard to imagine an American Internet user who hasn’t had some need to create a Yahoo! account over the past decade.

Published February 21, 2017 on

Read the full story: 3 Tips for Feds Looking to Ditch Old Datasets

Posted in Articles | Leave a comment

3 Tips for Feds Looking to Ditch Old Datasets

The digital universe is expanding at a staggering rate as government agencies, businesses and citizens generate troves of data each day. The McKinsey Global Institute estimated in December that the United States possesses more than two zettabytes of information — equivalent to 2 trillion gigabytes.

Such growth creates opportunities for innovation but poses challenges to federal agencies seeking to comply with data retention requirements. What’s more staggering? That number likely will double every three years.

IT officials should pay attention to their organization’s electronic activities and ensure they stay within the bounds of federal records laws and regulations.

Published February 16, 2017 on

Read the full story: 3 Tips for Feds Looking to Ditch Old Datasets

Posted in Articles | Leave a comment

Still got it: CISSP certification a must for aspiring security professionals

Rumors of the Certified Information Systems Security Professional (CISSP) certification’s demise are greatly exaggerated. In January 2015, I published an article on this site titled CISSP: The crown jewel of security certifications, in which I argued that the CISSP credential was the cybersecurity field’s premier certification.

At the time, I said that getting CISSP certified is “an almost mandatory rite of passage in the career of information security specialists and a prerequisite for many advanced roles in the profession.” Much has changed in the security certification landscape over the intervening two years, but I stand by my assessment today.

Just looking at sheer numbers, the CISSP continues to thrive. Two years ago, there were just over 99,000 CISSP credential holders worldwide. Today, there are more 111,000 CISSP-certified cybersecurity professionals. That’s at least 12 percent growth during the period of time that some assert the CISSP was in decline as a certification.

Published December 20, 2016 on

Read the full story: Still got it: CISSP certification a must for aspiring security professionals

Posted in Articles | Leave a comment

Managed security providers: What’s new?

The managed security service provider market has grown recently, with providers adding both new customers and new services designed to respond to the changing cybersecurity threat landscape. Let’s look at two areas of note: the way that organizations evaluate managed security service providers, or MSSPs, and the types of services they can offer.

Evaluating managed security providers

The MSSP landscape is more crowded today than it was just three years ago, when I wrote about what was then an emerging world. The most recent Forrester Wave report identified 11 major MSSPs, but those large providers are only the tip of the iceberg: Many smaller firms occupy niche portions of the managed security space. This makes it extremely important that organizations critically evaluate the competitive offerings of MSSP candidates.

I originally suggested that organizations ask three questions of their enterprise as they consider whether to evaluate, and how to choose from, the many managed security providers in the market:

Published December 14, 2016 on

Read the full story: Managed security providers: What’s new?

Posted in Articles | Leave a comment

Connect to the red-hot hiring realm of network security with these top certs

New network security threats arise on almost a daily basis, as users explore new ways of working and hackers develop increasingly sophisticated tools and techniques. Modern users expect the ability to bring their own smartphones and tablets to the workplace and interact with sensitive business information seamlessly from their home or office, and while on the road.

At the same time, the network security threat landscape has shifted significantly over the past decade. The greatest risk to enterprise network security is no longer the isolated individual in a basement seeking the thrill of breaking into a new environment. Instead, today’s adversary is most often an organized, highly skilled team of attackers with a clear objective.

These changes in usage patterns and threat landscape place significant demands on the technology professionals responsible for protecting the safety and security of enterprise networks. Most organizations now employ network security experts who focus their time and talent on these issues, creating a lucrative new career path for technologists seeking to broaden their experience and find new opportunities.

Published November 29, 2016 on

Read the full story: Connect to the red-hot hiring realm of network security with these top certs

Posted in Articles | Leave a comment

The science (and certification) of writing secure code

The world runs on code. From online banking to electronic voting systems and from self-driving cars to medical devices, almost every aspect of modern life relies upon software for safety, efficiency and convenience. Millions of lines of code intersect with our lives on a daily basis.

The security of that code is paramount to protecting the confidentiality, integrity and availability of the information, systems and devices upon which we rely. Unfortunately, there is a world full of hackers and other threat actors who wish to deprive us of the secure use of that code and focus relentlessly on undermining software security.

For many years, application developers adopted a “get it done” mindset that focused on shipping code as quickly as possible to gain market share, capitalize on business opportunities and improve efficiency. This mindset often sacrificed security as a burdensome afterthought that simply got in the way of progress.

Published September 27, 2016 on

Read the full story: The science (and certification) of writing secure code

Posted in Articles | Leave a comment

HIPAA Controls Don’t Do Enough for Privacy and Security

The authors of the HIPAA wrote a law designed to protect the security and privacy of health information in many different locations. They identified healthcare providers, insurance companies and health information clearinghouses as the most likely places where protected information would reside and imposed requirements that covered entities must protect that information.

Today, Fitbits and other fitness trackers, like the Apple Watch and HealthKit, and online communities offer individuals the possibility to engage far more in managing their own health, generating additional personal health information. The authors of HIPAA never imagined this new world of consumer health technology and, as such, HIPAA generally does not apply in these cases.

The holes in HIPAA controls stem from the definition of HIPAA-covered entities. These entities fall into three categories: healthcare providers, health insurers and health information clearinghouses. HIPAA also covers the business associates of covered entities that exchange information with covered entities. Consumer health companies normally do not fit into these categories. For example, the maker of a fitness tracking device doesn’t provide medical care to a patient or receive information from a medical professional, so there is no HIPAA-covered relationship.

Published September 24, 2016 on

Read the full story: HIPAA Controls Don’t Do Enough for Privacy and Security

Posted in Articles | Tagged , | Leave a comment

Closing the Cybersecurity Generation Gap

Businesses around the world find their workforces increasingly divided along generational lines.  As the Boomer generation nears retirement, they find themselves in leadership positions managing a workforce composed of Millennials who approach the workplace with completely different attitudes.  In the realm of cybersecurity, several recent studies found that this tech-savvy generation is surprisingly naïve when it comes to protecting personal and corporate information.

In a mobile device security survey conducted by Absolute Software, 25% of members of the Millennial generation responded that they believe their digital behavior compromises the security of their organization.  That’s a shocking number by itself but it becomes even more surprising when compared to the 5% of Boomers who reported similar behavior.  This huge generational divide requires attention from security professionals who will want to design security programs to compensate for these differences.  Let’s look at five ways that organizations can tailor security controls to bridging the generational cybersecurity divide.

Read the full article: Closing the Cybersecurity Generation Gap

Published August 24, 2016 in BizTech Magazine

Posted in Articles | Tagged , , , | Leave a comment

Mike Chapple, CISSP, Ph.D.

Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.

Full Biography