Government’s Cloud Audit Program Falls Behind Schedule

In a speech on Wednesday, Federal Chief Information Officer Steven VanRoekel said that a federal plan for qualifying and providing security audits on private sector cloud providers will become mandatory for any agency that wanted to contact with third party cloud providers, according to a report on GovInfoSecurity.com. But even as the U.S. federal government forges ahead with plans to shift a quarter of its IT spending to cloud-based services, efforts to launch that program – the Federal Risk and Authorization Management Program (FedRAMP)- are falling way behind schedule, according to a GAO report.

2011: What’s Your IT Security Plan?

A gusher of Web applications vulnerabilities, malicious insiders and
sophisticated malware threaten networks and data. To keep your systems
reasonably secure, what will your security focus be during the year

Former Penn CSO Dishes on His Firing

Former State of Pennsylvania CISO Robert Maley has been watching all the news about his firing for talking about a security incident without permission at last month’s RSA conference. He began a talk on application security at CSO Perspectives 2010 by going off topic and addressing the controversy head on. Read the full article. [CSO]

Robert Maley was fired from his job as the chief information security officer for the state of Pennsylvania earlier this month after he spoke, without proper authorization, about security incidents involving the state during a panel discussion at the RSA trade show. In this interview, Maley gives his side of the events that led to his dismissal. Read the full article. [Computerworld]

Digital Underground podcast with Dennis Fisher

In this episode of the Digital Underground podcast, Dennis Fisher talks with David Mortman, CSO-in-residence at Echelon One and longtime security executive, about whether we’ve become too reliant on compliance, the changing nature of the CSO’s job and how network security is like baking artisan bread. Really.

From CSO (Bill Brenner)
When the digital forensics crew comes in to investigate a possible data breach, company executives often make matters worse by not being prepared.  To help companies deal with this issue, CSOonline talks to the experts [csoonline.com] and offers these five steps that can be taken to ensure a smooth investigation that ends with the company’s reputation intact. 

By Andrew Jaquith
Despite years of investments in technology and processes, protecting enterprise-wide data remains a maddeningly elusive goal for chief information security officers (CISOs). Software-as-a-service (SaaS), Web 2.0 technologies, and consumerized hardware increase the number of escape routes for sensitive information. Regulations, statutes, and contractual expectations drown CISOs in audit requests and ratchet up the pressure to do something about the problem. Hordes of vendors confuse CISOs with innumerable sales pitches.
Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization. Read the full story [csoonline.com]

By Joan Goodchild, CSO
“The dean of the security deep thinkers,” “security luminary, ” and “risk-management pioneer” are all phrases that have been used to describe Dan Geer. Considered one of the foremost leaders in information security, his resume includes time as president and chief scientist at Verdasys Inc, a critical role in Project Athena at MIT, and a now famous firing from @Stake for co-writing a paper warning that a Microsoft monoculture threatened national security.
These days Geer, a 2009 CSO Compass Award winner, is CISO with In-Q-Tel, a non-profit venture capital firm that invests in security technology in support of the intelligence community. Geer recently spoke with CSO [csoonline.com] and explained why, despite all he has accomplished in his past, his sights are still set toward the future of security. Read the full Q&A interview.

By Jeremiah Grossman, White Hat Security
Someone begins watching a basketball game and asks who is winning. You might helpfully answer, “Lakers up 76 to 64.” Imagine if instead you said, “The Lakers are 60% from the field, have 12 rebounds, are 8 of 10 from the line, and the average height of the starting lineup is 6’7.” Sure, these are important statistics, but they certainly do not answer the question. (Inspired by Richard Bejtlich) The person listening would probably think you were trying to be funny, a jerk, or perhaps both.
Yet, this is how the Web security industry responds when businesses ask about the security of their websites. “We identified 21 security defects including eight Cross-Site Scripting and four SQL Injection, we are improving our SDL processes, and most of our programmers have been through security training.” Again, important metrics, but still not answering the most important question — how well defended is a website from getting hacked.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.