Government Information Security Podcast

We've emerged from a global financial crisis, and now regulatory reform is coming to financial services. What do these events mean for the financial regulatory agencies - especially in terms of securing access to sensitive data? John Bordwine, Public Sector CTO at Symantec, tackles this question, discussing: The critical need to secure access to sensitive data; The business benefits of enhancing security; Key takeaways for non-financial organizations. As the Symantec Public Sector CTO, Bordwine currently serves as a trusted advisor, providing guidance on the development of products and solutions that meet government requirements and certifications specifically focused on the Public Sector markets. His responsibilities also include all technical activities related to Public Sector customers, which includes federal, state, and local government agencies, and education industries. In addition to these responsibilities, he also provides guidance to other Symantec business units around specific requireme

Steve Elefant, CIO, Heartland Payment Systems One theme repeated by every major Obama administration officials speaking RSA Conference 2010, the IT security conference held in early March in San Francisco, was the need for the government and business to work together to protect the nation's critical IT systems. Among those listening to these officials was Steve Elefant, chief information officer of payment processor Heartland Payment Systems, a victim of a 2009 breach considered the largest criminal breach of card data ever, exposing information on upward of 100 million cards. In an interview with Information Security Media Group Executive Editor Eric Chabrow, Elefant discusses the impact of the breach on Heartland's relationship with the government and other financial institutions to secure critical IT systems operated by the private sector.

Melissa Hathaway worked on the development of Comprehensive National Cybersecurity Initiative when she worked in the Bush White House and assessed the CNCI as the leader of President Obama's 60-day cyberspace policy review. GovInfoSecurity.com's Executive Editor Eric Chabrow ran into Hathaway at the RSA Conference 2010 in San Francisco earlier this month, just after the White House issued a declassified summary of CNCI, a series of initiatives aimed at securing federal government information assets and the nation's critical IT infrastructure. Besides responding to a question whether declassifying parts of CNCI was a good idea, Hathaway also addressed: Collaboration between government and the private sector and the private sector and private sector on developing cyber defenses. How much regulation the government should impose on the private sector to assure IT security. A new idea she hadn't thought of before attending the RSA IT security conference. Hathaway left government service last summer, for

C. Warren Axelrod is a veteran banking/security executive and thought-leader, and in an exclusive interview at the RSA Conference 2010 he discusses top security trends and threats, including: Insider fraud; Application security; Cloud computing. Axelrod is currently executive advisor for the Financial Services Technology Consortium. Previously, he was a director of Pershing LLC, a BNY Securities Group Co., where he was responsible for global information security. He has been a senior information technology manager on Wall Street for more than 25 years, has contributed to numerous conferences and seminars, and has published extensively. He holds a Ph.D. in managerial economics from Cornell University, and a B.Sc. in electrical engineering and an M.A. in economics and statistics from Glasgow University. He is certified as a CISSP and CISM.

What are the key banking/security topics on the minds of leaders of the nation's largest banks? At the RSA Conference 2010, Paul Smocer of BITS and the Financial Services Roundtable discusses: The Roundtable's information security priorities; How regulatory reform may impact security organizations; The future of the Shared Assessments Program - in banking and beyond. Smocer, VP of Security at BITS, a division of the Financial Services Roundtable, leads the group's security program. Smocer has over 30 years' experience in security and control functions, most recently focusing on technology risk management at The Bank of New York Mellon and leading information security at the former Mellon Financial. While at Bank of New York Mellon and at Mellon, Smocer was actively engaged with BITS as a member of its Vendor Management Working Group, as 2005 Chair of its Security Steering Committee, and as 2004 Chair of its Operational Risk Committee.

Education and training are two of the key priorities of information security professionals and organizations in 2010. And professional certifications are at the heart of that training. What's new in information security certifications? In an exclusive interview at RSA Conference 2010, W. Hord Tipton, Executive Director of (ISC)², discusses: Training trends; What's new from (ISC)2; Insight into new research on the profession. Tipton is the executive director for (ISC)², the global leader in educating and certifying information security professionals throughout their careers. Tipton previously served as president and chief executive officer of Ironman Technologies, where his clients included IBM, Perot Systems, EDS, Booz Allen Hamilton, ESRI, and Symantec. Before founding his own business, he served for five years as Chief Information Officer for the U.S. Department of the Interior.

From RSA 2010: Interview with Bob Russo, GM of the PCI Security Standards Council How will the Payment Card Industry Data Security Standard (PCI DSS) be amended, and when? These are the key questions in payments security, and Bob Russo, GM of the PCI Security Standards Council, is prepared to start answering them. In an exclusive interview conducted at RSA Conference 2010, Russo discusses: Key questions about PCI; Potential solutions to enhance payments security; Timeline for the release of the next PCI standard. Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. Russo guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. To fulfill this role, Russo works with representatives from American Express, Discover Financial, JCB, Mas

Matt Coose Director, Federal Network Security National Cybersecurity Division Department of Homeland Security As director of federal network security at the Department of Homeland Security's National Cybersecurity Division, Matt Coose is helping shepherd the Trusted Internet Connection initiative, which aims to reduce the number of connections linking executive branch IT networks to the Internet to 100 or fewer from thousands upon thousands. The basic concept behind TIC, initiated in 2007 by the Bush administration, is that by drastically reducing the number of access points, the government could more easily monitor and identify potentially malicious traffic. In the interview, Coose: Reveals the number of TIC and non-TIC connections that now exist. Explains the shift in TIC strategy by the Obama administration. Discusses the architecting of TIC 2.0 to include the Einstein 2 intrusion detection system. Coose, a West Point graduate and former Army captain, was interviewed by GovInfoSecurity.com's Eric Chab

Robert Rodriguez, Chairman, Security Innovation Network Robert Rodriguez thinks there are plenty of innovative ideas emanating from American entrepreneurs to secure information systems that those responsible for federal government cybersecurity haven't heard of. Rodriguez is chairman of the Security Innovation Network, which was created to bridge the gap between Silicon Valley and the Beltway by encouraging collaboration between entrepreneurs and government on developing IT security solutions. In an interview with GovInfoSecurity.com, Rodriguez spoke of the officials charged with securing government IT: "They wish that they had greater awareness of companies at an early stage so they can shape the mission needs. Sometimes the companies they come across are too mature, too robust and down their paths that it's too costly and not effective to alter to a unique infrastructure in some of these government agencies." Rodriguez, in the interview conducted by GovInfoSecurity.com's Eric Chabrow, assesses the cu

NIST senior computer scientist Ron Ross heads a National Institute of Standards and Technology-Defense Department team that created the just-released information security guidance for federal agencies: Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. In an interview with GovInfoSecurity.com, Ross discusses the: Importance of the new guidance that provides for real-time monitoring of IT systems. Challenges federal agencies face in adopting NIST IT security guidance. State of cybersecurity in the federal government. Ross was interviewed by GovInfoSecurity.com's Eric Chabrow. The highly regarded NIST senior computer scientist and information security researcher serves as the institute's FISMA implementation project leader. He also supports the State Department in the international outreach program for information security and critical infrastructure protection. Ross previously served as the director of th

Richard Chambers, President of the Institute of Internal Auditors (IIA) has three words of advice for organizations, executives and auditors looking to improve the role of internal audit: "Follow the risk." In an exclusive interview, Chambers discusses: Impact of the economic recession on internal audit; How the role has evolved because of recent times; Advice for organizations, executive and auditors to further maximize the role. Chambers began his career in 1976 with the U.S. General Accounting Office, where he first became an internal auditor. He firmly established himself in government internal auditing and was named Worldwide Director of Internal Review for the United States Army in 1993. He later served as Deputy Inspector General for the United States Postal Service and Inspector General for The Tennessee Valley Authority. In 2001, Chambers joined The IIA staff as vice president, Learning Center. After a brief tenure as "acting president," he left The IIA in 2004 to join PricewaterhouseCoopers,

Alex Cox, Research Consultant and Principal Analyst, NetWitness Alex Cox, a research consultant and principal analyst at the IT security firm NetWitness, discovered last month the Kneber botnet, a variant of the ZueS Trojan that he says has infested 75,000 systems in 2,500 corporate and governmental organizations worldwide. (See Botnet Strikes 2,500 Organizations Worldwide.) In an interview, Cox describes: How the Kneber botnet works. Who the malware targeted. Damage the botnet could cause. Cox was interviewed by Eric Chabrow, GovInfoSecurity.com managing editor.

From blogs to wikis, Facebook to Twitter, social media have taken over the workplace. But how do security leaders manage social media before all these new tools and technologies become unmanageable? Jerry Mechling is a prominent author and lecturer at the Harvard Kennedy School, and in an exclusive interview he discusses: Social media's impact on public and private entities; The inherent security and risk management challenges; How organizations should begin to unlock social media's potential. Mechling, Lecturer in Public Policy at the Harvard Kennedy School of Government, is Founder of the Leadership for a Networked World Program and the Harvard Policy Group on Network-Enabled Services and Government. He is also a Research Vice President of Gartner. His studies focus on the impacts of information and digital technologies on individual, organizational, and societal issues. He consults on these and other topics with public and private organizations locally and internationally. He is primary author of E

Khalid Kark, vice president at Forrester Research, recently wrote an in-depth report on healthcare information security in which he described five key principles. In an interview, Kark discusses each principle, including: Take a risk-based approach and look beyond regulatory compliance, focusing instead on creating a broader security framework; Follow the data through its entire life cycle, making sure it's protected when it's in the hands of business partners, outsourcers and others; Equip yourself with the ability to monitor and respond to security incidents; Focus on third parties and business associates, making sure all agreements spell out security provisions; and Be prepared to respond to the changing technology and threat landscape, such as the increasing use of social networks. Kark focuses on information security issues for clients of Forrester Research, a Cambridge, Mass.-based firm that offers consulting as well as research reports.

David Matthews, Deputy Chief Information Security Officer, City of Seattle The hack on Gmail e-mail accounts of activists promoting human rights emanating from China is a reminder to government officials about the security and privacy threats cloud computing - Gmail is a cloud computing offering from Google - pose. "It makes us more aware of some of the things we need to be doing as we need to do to be ready to go into cloud computing," David Matthews, Seattle deputy chief information security officer, said in an interview with GovInfoSecurity.com. "It was kind of a wake up call, in a way, for all of us to really think about this is (as) security as usual. We really need to pay attention to our security and our issues and be aware of what we're jumping into when we jump into cloud computing and be ready for it." Matthews, who is a member of the American Bar Association's Science and Technology Committee, which has been conversing about the legal and privacy concerns of cloud computing the past few years, s

Increasingly, digital forensics is an important element of an information security program for organizations of all types and sizes. But where can security leaders find qualified forensics professionals? How can these professionals obtain the skills and expertise they need to be successful? Rob Lee of Mandiant and SANS Institute discusses forensics careers, focusing on: Hot trends of 2010; Questions hiring managers must ask; Growth opportunities for qualified pros. Lee, a director with Mandiant and curriculum lead for digital forensic training at SANS Institute, has more than 13 years experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on Information Operations. Later, he was a member of the Air Force Office of Special Investigations where he

What are the top fraud trends facing financial institutions in 2010? Gartner's Avivah Litan shares her insights in an exclusive interview with Information Security Media Group's Linda McGlasson, discussing: Increased number of attacks on strong authentication; How to handle ACH fraud; The biggest security challenges for banking institutions. Litan has more than 30 years of experience in the IT industry and is a Gartner Research vice president and distinguished analyst. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications, as well as other areas of information security and risk. She also covers the security related to payment systems and PCI compliance.

Dena Haritos Tsamitis has an ambitious goal for the year: to improve cyber awareness among 10 million people globally. The Director of Education, Training and Outreach at Carnegie Mellon University's CyLab, Dena discusses: The cyber awareness challenge among people of all ages; Effective techniques for improving awareness; How organizations can improve and maximize their own efforts. Dena oversees education, training and outreach for Carnegie Mellon CyLab, the university's cybersecurity research center. She leads the MySecureCyberspace initiative to raise "cyber awareness" in Internet users of all ages through a portal, game and curriculum. She guides the education initiatives of the NSF Situational Awareness for Everyone center, which explores ways to improve computer defenses by incorporating models of human, computer and attack interactions into the defenses themselves. Also through CyLab, she serves as Principle Investigator on two NSF-funded programs: the Scholarship for Service (SFS) program and t

Interview with James Van Dyke of Javelin Strategy & Research Identity fraud crimes expanded at a 12% rate in 2009. What can we expect to see in 2010? Javelin Strategy & Research is out with its latest Identity Fraud Study. For insight on the study results and what they mean to organizations across industry, James Van Dyke of Javelin discusses: Headlines from this year's study; Trends and threats to watch; What organizations and individuals can do to better protect themselves. Van Dyke is founder and president of Javelin Strategy & Research. Javelin is the leading provider of independent, quantitative and qualitative research for payments, multi-channel financial services, security and fraud initiatives. Javelin's clients include the largest financial institutions, card issuers and technology vendors in the industry.

When it comes to enterprise security, an organization gets its tone from the top - even when the tone is set accidentally. How do you set the right tone? That's the topic of the new book from former CISO Jennifer Bayuk: "Enterprise Security for the Executive: Setting the Tone from the Top." In an interview about her book, Bayuk discusses: The key audience she wants to reach; The main message for enterprise leaders; Today's top enterprise security challenges and how leaders should tackle them. Bayuk is an independent consultant on topics of information confidentiality, integrity and availability. She is engaged in a wide variety of industries with projects ranging from oversight policy and metrics to technical architecture and requirements. She has a wide variety of experience in virtually every aspect of the Information Security. She was a Chief Information Security Officer, a Security Architect, a Manager of Information Systems Internal Audit, a Big 4 Security Principal Consultant and Auditor, and a Se