Government Information Security Podcast

Interview with Wade Baker and Alex Hutton of Verizon Business Earlier this year, Verizon Business unveiled its much-heralded 2009 Data Breach Investigations Report. Now, the company has just released its 2009 Supplemental Data Breach Report, which reveals the 15 most common attacks against organizations. In an exclusive interview, Wade Baker and Alex Hutton of Verizon Business discuss: The trends uncovered in the supplemental report; How the threat landscape varies by industry; What organizations and individuals can do to better protect themselves. Baker, research and intelligence principal with Verizon Business, has more than 10 years of IT and security experience. His background spans the technical-managerial spectrum from system administration and web development to data analysis and risk management. He is one of the primary authors of the groundbreaking Verizon Business Data Breach Investigations Report. Hutton, research and intelligence principal with Verizon Business, has served as a consult

What's ahead for information security professionals in 2010? Barbara Massa, VP of Global Talent Acquisition at McAfee, Inc. speaks to the results of the new Information Security Today Career Trends Survey, discussing: How the results speak to the maturity of the information security profession; The survey's message to CISOs; The value of recruitment and retention in the year ahead. Massa joined McAfee in June, 2009. For the 10 years prior to joining McAfee, Barbara led the Talent Acquisition function at EMC and Documentum respectively (Documentum was acquired by EMC in December of 2003.) Barbara's prior work includes leadership positions in the recruiting organization at Cadence Design Systems and at an external recruiting firm.

When it comes to defending America's crucial IT systems, the key component are the people, says the top cybersecurity leader at the Department of Homeland Security. "My top goal (for 2010), and nothing else even comes close, is to continue to add to the great core of human capital I've already got," Philip Reitinger, DHS deputy undersecretary of the National Protection and Programs Directorate and director of the National Cybersecurity Center, says in an interview with GovInfoSecurity.com. "There are no silver-bullet solutions here; we need people, we need process, we need technology. But of those, people are by far, the most important." Reitinger, in the first of a two-part interview, concedes the challenge will be tough because of a dearth of qualified information security experts, but explains steps the government is taking to eventually eliminate that skills gap. Also, Reitinger addresses: The need to develop innovative, collaborative approaches, not only among federal agencies, but between the governm

Business risks have grown in size and complexity in 2009. How, then, must risk management evolve to meet the challenges of 2010? James Pajakowski, EVP of Global Risk Solutions with Protiviti, shares his insight on: The risk management trends for 2010; How information security professionals must meet the new challenges; What's most misunderstood about risk management today. Pajakowski oversees the delivery of Protiviti's services in the areas of finance and transactions, operations, technology, litigation, governance, risk, and compliance. He previously served as managing director and head of the Business Risk practice. He also was one of five founding members of the Protiviti Operating Committee, which was responsible for establishing Protiviti's vision and strategy and overseeing financial and administrative matters during the company's first five years. Prior to Protiviti, Pajakowski was a partner with Arthur Andersen, where he started his career in 1982. He has more than 25 years of professional serv

Patrick Gallagher has Cita Furlani's back. Gallagher, the new director of the National Institute of Standards and Technology, praised Furlani, head of NIST's Information Technology Laboratory, for her ITL reorganization plan to encourage more multidisciplinary collaboration with other agency units in developing cybersecurity programs and guidance. The plan received mixed reviews from NIST stakeholders, and Furlani withdrew it for further review. "Every manager should be striving to make sure their organization is as effective as possible," Gallagher, who the Senate confirmed last month as NIST director, said in an interview with GovInfoSecurity.com. "What Cita was doing was looking at one of the major tools that a manager has, which is your organizational structure optimized for being as effective as possible. It was a very thoughtful proposal. The reality is that many of the cybersecurity activities already spread across various division within ITL, and this was the chance to try to create some synergies t

No question, the information security professional's role has evolved in recent years. How, then, has the need for ongoing professional education also changed? And what role must risk management play in today's security organization? In an exclusive interview, Mark Lobel of PricewaterhouseCoopers and ISACA, discusses: The role of professional education in information security; The evolution of risk management; How organizations and professionals must respond to the challenges of 2010. Lobel, CISA, CISM, CISSP, is a member of ISACA's Security Management Committee. He has over 25 years business experience, with the first eight in the Entertainment and Media industry and then, after his MBA, with PricewaterhouseCoopers. He is an internationally recognized security and controls professional with experience designing, benchmarking and assessing organizational security strategies and technologies. He is experienced at designing, assessing, implementing and penetration testing enterprise security. Lobel

Back in the 1950s, not too many years removed from World War II, Dickie George was in grade school, and he recalled drills in which pupils hid under their classroom desks in preparation for a bombing attack. Then, he said, people understood threats. "In today's cyber world, cyber is so much more complicated than a bomb that it's really hard for people to really understand the threat, and understand how to defend themselves against that threat," George, technical director at the National Security Agency's Information Assurance Directorate, said in an interview with GovInfoSecurity.com. "That education is what we have to achieve as a nation, so that we can all work together to make ourselves a much harder target." In the second of a two-part interview, George discusses the: Risk federal IT faces because of a dearth of cybersecurity professionals needed to safeguard information systems. Competition among government agencies and the government and business in recruiting far too few cybersecurity professionals

We've experienced two waves of the H1N1 pandemic. What lessons have we learned? Sue Kerr, President of Continuity First, a business continuity/disaster recovery consultancy, talks about how organizations have handled H1N1. She also discusses: the state of BC/DR; Challenges facing organizations today; 2010 trends and career opportunities. Kerr is also the president of the Old Dominion Association of Contingency Planners, Education Director for the National Association of Contingency Planners and a previous member of the Disaster Recovery Journal Editorial Advisory Board. She has been active in setting standards for the industry as well as training others. She has spoken at various conferences and has done training for corporations, governmental organizations as well as the community. She has been published in industry journals and has been interviewed multiple occasions as a subject matter expert. She is a Certified Business Continuity Professional through the Disaster Recovery Institute. In addition

For decades from the inside, and now from the outside, Ruby DeMesme has seen the role of the federal government worker evolve over the years. The former Air Force assistant secretary for manpower, reserve affairs, installation and environment sees information technology as shaping the way government workers perform their jobs. No longer are jobs aligned with a predefined assignment, but are dynamic, requiring critical thinking and the ability to navigate technology to determine how best to perform a variety of tasks. Now, a senior adviser to the consultancy Deloitte, DeMesme has written a paper entitled "Equipping the Federal Workforce for the Cyber Age," in which IT security plays a critical factor. In the interview, DeMesme explains the: Meaning of the word equipping in content to the Internet-age federal workforce. Synergy between cybersecurity and an IT-savvy workforce. Commitment the federal government must make to create a 21st century workforce. GovInfoSecurity.com's Eric Chabrow interviewed DeMes

As the government adds new applications to its information systems, the more openings it creates for attackers to gain access, creating a continuing battle between IT security professionals charged with safeguarding the systems and those seeking to cause them damage. "The more functionality that's there, the more ways there are for an attacker to get it to operate it in way that no one ever conceived," Dickie George, the National Security Agency's Information Assurance Directorate technical director, said in an interview with GovInfoSecurity.com. "The better the system is, the more interesting it is, the more capability it has, the more opportunities there are for an attacker to find the way in. We are notorious for always needing new types of functionality. We want our equipment to do be able to do more things, and every time we increase the functionality, we allow for problems." In the first of a two-part interview with GovInfoSecurity.com's Eric Chabrow, George discusses: The strength of today's techno

The National Institute of Standards and Technology characterizes its new guidance released this past week as transformational, and no one can speak more authoritative about it than Ron Ross, NIST's highly regarded senior computer scientist, information security researcher and FISMA implementation project leader who co-authored the guide. Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, encourages continual system authorization by implementing robust continuous monitoring processes. Why is this revision of SP 800-37 significant? Here's Ross' response: "There are a lot of reasons; I think the obvious one that everybody is talking about are its continuous monitoring aspects. This really reflects the significant uptake in the threats and the type of attacks that we've seen grow almost exponentially over the past couple of years. The adversaries are launching more attacks; they're more sophisticated, and we

What have been the biggest privacy issues of 2009, and what emerging trends should you watch heading into 2010? We posed these questions to J. Trevor Hughes, Executive Director of the International Association of Privacy Professionals (IAPP). In an exclusive interview, Hughes discusses: The role of the IAPP; Key legislation in the U.S. and internationally; Where organizations need to improve privacy protection. Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as Executive Director of the IAPP, Hughes leads the world's largest association of privacy professionals. Hughes has provided testimony before the U.S. Congress Commerce Committee, the U.S. Senate Commerce Committee, the U.S. Federal Trade Commission, and the EU Parliament on issues of privacy and data protection, spam prevention and privacy-sensitive technologies. He is a member of the first class of Certified Information Privacy Professionals (CIPPs) and is co-author (with D. Reed Freeman, Jr.) of "Pri

As the federal government begins to pilot the use of third-party credentials to authenticate users at three websites, the advocacy group Center for Democracy and Technology this month has published a white paper, Issues for Responsible User-Centric Identity, raising questions it feels must be addressed before user-centric identity systems are fully deployed throughout the government. User-centric identity refers to systems where users, rather than service providers, control their identity credentials. "User-centric federated identity systems have the potential to improve the security and privacy of authentication and services for users, but if improperly designed, these systems can negatively impact users and become a burden instead," says white paper author Heather West, a CDT policy analyst. In an interview with GovInfoSecurity.com, West explains: How user-centric identity works; Who are the major players; and Why the government should not regulate user-centric identity. West was interviewed by Eric

It's time for information security professionals to give back to their communities - to reach out and educate businesses, schools and citizens about cybersecurity and other relevant issues. This is the message from John Rossi, professor of systems management/information assurance at National Defense University. In an exclusive interview, Rossi discusses: Why security professionals should practice outreach; Potential venues for public speaking How to get started. Rossi is a Professor of Systems Management/Information Assurance in the Information Operations and Assurance Department at the National Defense University (NDU) Information Resources Management College (IRMC). Prior to joining the NDU/IRMC faculty, he was a computer scientist for information security, research, and training with the U.S. Federal Aviation Administration Headquarters. He was Security Division Manager of the U.S. Department of Energy's Nuclear Weapons Production Security Assessments Program and National Program Manager for Computer

Melissa Hathaway, who led President Obama's 60-day cybersecurity policy review, says it would be a mistake to place the nation's top cybersecurity adviser in the Department of Homeland Security, as proposed by an influential senator, and not in the White House. Asked, in an interview with GovInfoSecurity.com whether the idea forwarded by Sen. Susan Collins, R.-Maine, was a good one, Hathaway responded: "No. I believe there is a need to have leadership out of the White House. There have been many reports that have been written that if you establish a lead in one particular agency, they don't necessarily have the authoritative responsibility over all of the other departments and agencies. And, while I think it's important to have leadership at the Department of Homeland Security, I think that without having the leadership at the White House, we will not be able to really drive the federal government in the direction that it needs to go." Among the topics Hathaway addresses in the second of a two-part inter

Government and business must think creatively to help safeguard America's digital assets, says Melissa Hathaway, the former White House acting senior director for cybersecurity who led President Obama's 60-day cybersecurity policy review. Hathaway, an interview with GovInfoSecurity.com, cited the innovative coupling of cell phone and global positioning technologies to authenticate a user withdrawing money from an ATM or making a credit card purchase. With the cell phone turned on, a GPS can verify that the consumer is where the transaction takes place. "That's not what cell phones were originally designed for, but I thought it was a creative solution on how to defeat the fraud or at least make it much more complicated for the criminal or thieves to take our information or take our personal data," Hathaway said in a conversation with Eric Chabrow, GovInfoSecurity.com managing editor. In the first of the two-part interview, Hathaway also discussed: The critical posture of cybersecurity in the United States

After fingerprints, iris recognition is the second most supported biometric characteristic, and its popularity as a means of authentication is growing. Patrick Grother is among the computer scientists at the National Institute of Standards and Technology's Information Technology Laboratory who are collaborating with their international colleagues to revise iris recognition standards and to advance iris images as the global interchange medium. In an interview, Grother discusses: Advances in iris recognition technology; When one biometric is better than another as a means of identification and authentication; and The IREX Exchange, or IREX, a program NIST founded to encourage collaboration in development of iris recognition algorithms operating on images conforming to the new ISO-IEC 19794-6 standard. Grother was interviewed by Eric Chabrow, GovInfoSecurity.com managing editor.

Tough times require "softer" leaders. This is the perspective of careers coach Heidi Kraft, who says that today's senior leaders need to focus more on emotional intelligence and other "soft" qualities to be able to better recruit and retain quality employees. In an exclusive interview, Kraft discusses: Which "soft" skills are most important; How managers and employees alike can change a culture to embrace these skills; Where to start to develop and nurture "softer" leaders. Kraft is a Leadership and Career coach and founder of Kraft Your Success Coaching and Consulting. Prior to launching her business, she spent 17 years on the agency side of the advertising industry, including a stint as SVP Media Director at Boston-based Hill Holliday, developing and implementing media strategies for high-profile clients such as Microsoft, Intel, Intuit, Siebel Systems, 24 Hour Fitness and Harley-Davidson. She holds a CPCC (Certified Professional Coactive Coach) and is a graduate of the Coaches Training Institute

Interview with Kevin Sanchez-Cherry, IT Security Specialist What does it take for an information security professional to make it into the United States Secret Service? We asked Kevin Sanchez-Cherry, IT Security Specialist within the agency's Information Security Operations. In this exclusive interview, Sanchez-Cherry discusses: Types of Secret Service careers available to security professionals; What to expect during the hiring process; Myths and realities of a job in the Secret Service. Sanchez-Cherry is an IT Security Specialist for the United States Secret Service's Information Security Operations sub-division and is responsible for leading the Secret Service's Certification and Accreditation (C&A) Program and Information Systems Security Officer (ISSO) Program. He also assists in the management of the enterprise Information Assurance (IA) Program for the Secret Service. Prior to joining the Secret Service in 2006, Mr. Sanchez-Cherry served two years as Principal Security Specialist with the Dep

Allan Bachman has fought fraud since the early 1970s, and he's seen the crimes evolve in both sophistication and scale. In an exclusive interview, Bachman, Education Manager for the Association of Certified Fraud Examiners (ACFE), discusses: The evolution of fraud schemes; The most common types of fraud seen today; Types of training available to help detect and prevent fraud. Bachman, CFE, MBA, is responsible for seminar development and the educational content of all ACFE conferences and online learning. Most recently he worked in Higher Education as director of an audit unit and was project manager on several IT implementations specializing in security. His largest fraud investigation for over $1.5 million was conducted during this time. Previously Bachman worked in or consulted for retail, real estate, manufacturing and has done extensive small business consulting where he has actively worked a number of fraud cases. His fraud investigation experience extends back to the mid- 70's and has continued th