If you are having trouble viewing this email, click here to view this online



   ISSUE 44

18 March 2015

Article of the Month  Around the World

5 ways an experienced CISO should drive high-quality Information Security programs



As the counter and severity of cyber-attacks and security breaches continue to rise, the presence and power of chief information security officers (CISOs) have increased significantly, and this job is now among the fastest growing positions in the corporate C-suite or the senior management. Recent developments starting from early 2014 in Srilankan context, several organizations (especially in the financial sector) demands a dedicated senior officer’s involvement in managing information security risks in the governance framework.
CISO role should be to protect the organization’s reputation, information assets, and intellectual property, as well as to guide the implementation of innovative technologies to ensure that all business transactions are conducted securely. To full fill stake holder’s expectations for making the digital Infrastructure a safer place to work and conduct businesses, the CISO role needs to have an insight on overall business processes at a higher level.
The below 5 ways are designed to help CISO's and top level Info-Sec officers in charge , to avoid operational difficulties that complicating carrying out of tactical and strategic functions.

1.More you know your business, more you know your playground

Deep understanding on your business is extremely important for a CISO. Due to the fact that most of the senior CISO’s are developed through a pure IT, Technical or Audit background, those individuals are very reluctant to understand the nature of the business they involved.
True, your objective is to understanding IT and Information Risks, also making sure proper controls in place, but you won’t be able to become an “excellent contributor” to the senior management forum if you become a silent listener all the time and activating only during security discussions. Be familiar with products, solutions you offer and revenue generating models while understanding the enterprise culture you survive.

2.Be smart with the political landscape

Know the politics that you will win and which you will likely lose. Many Info-Sec officers are faced with daily surprises of how Information Security was left out of the decision making process and finally a new online portal for financial transactions is active and exposed to the internet. This is where a CISO should demonstrate executive maturity. Always re-establish positive and productive relationships with business owners. Argue with facts and business related points. Don't mention any bits and bytes. They hate it. Speak business. Take examples. Be a good communicator. Else you will be just a member to occupy a black seat in the C-Suit.



3.Be a salesman for the entire organization

Being a CISO, play a distributed role. Ultimately you will be the personnel justifying the “Info-Sec Budget”, in another words selling the business case to the CEO or Board of Directors. Build strong communication skills to sell yourself and your idea to the stake holders. Once in a while, sit with an end-user and educate him why the corporate has blocked using the external USB drives and the reasons for not letting you browse cloud storage sites such as Drop Box. Spending time with all layers in an organization will be a success factor for a friendly CISO since ultimately your security vision will be enforcing to everyone at each layer engaging sensitive information assets.

4.Drop hard efforts in sustaining security resources

In today's world, chief information security officers (CISO) are often challenged with a lack of resources ranging from reduced budgets to lowered headcounts. In Srilankan context, every year we lose talented security professionals with their objectives on having a comfortable life styles in overseas. None of us can stop this till the industry gets matured and seeks the involvement of security officers in every critical organization. Also it is in-practical to pay a high remuneration for Info-Sec members, while top profiles also gaining a lower income in other departments. Keep a trusted external security consultant, those offer great service and are strategic to the Information Security programs. Those advisors might hire on contract basis, project basis or even as a volunteer service if possible, and then CISO’s can minimize the expenditures for maintaining senior level on-site resources.
CISO should make sure they took wise decisions while selecting consultants, and they should not entertain any “security product promoters”.

5.Continues education and awareness

The CISO should also pursue continuous education, such as vendor-neutral certifications, including certifications offered by (ISC)2, ISACA,SANS..etc. These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum. Also don’t scream in front of your CEO for approving budgets for next RSA conference or Black Hat events, when company is going through a crucial situation. There are many modern facilities available for gaining knowledge such as webbex sessions with live instructor interaction. Spend some time with google, write to forums, wait for free security educational sessions, join the session as a team, explorer youtube and type the interested areas. The world of education and security updates in your fingertips until your company performs good numbers and showed a green lights for IS training budgets.


Wasantha Perera

CISSP, CRISC, ECSA, CEH(V3), Certified CISO from EC-Council USA
ISO27001 Lead Auditor

Wasantha helps range of commercial companies, agencies and specialist teams in the region as an independent security advisor to secure business critical information assets. During his career he served leading organizations including Millennium IT, N-able (A fully own subsidiary of Hemas Holdings PLC), Bartleet Group and MAS Holdings. He is the Head of Information Security and Compliance at Colombo Stock Exchange, the national stock exchange in Srilanka and also the president of (ISC)2 local chapter. (ISC)² is a non-profit organization which specializes in information security education and certifications and it has been described as "world's largest IT security organization". Wasantha holds bachelors and a master’s degree from University of Peradeniya and also received multiple prestigious awards in the security industry including (ISC)2 Presidents Award 2014, (ISC)2 Honoree in Senior Information Security Professional Category and Certified CISO awards finalist in EC-Council Global CISO Awards 2014




















  30 percent of organizations collecting Big data

“..The Internet of Things, or IoT, is projected to undergo massive growth with 4.9 billion IoT-connected devices in 2015 and more than 25 billion predicted to be in use by 2020, according to Gartner....”

  Securing The Mobile Workforce In The Age Of BYOD

'....Your house and office need keys. Your bankcard and mobile phone need PINs. Your computer and online accounts need passwords. When it comes to software, innate security features are crucial. Those safety features are designed to protect people, the companies that hire them and data entrusted to them. Yet in a time when convenience is king, safety can often slip by the wayside – especially when it comes to mobile devices...'

HP Aruba purchase bolsters wireless networking business



'...Hewlett-Packard will purchase Aruba Networks to boost its wireless networking business, the companies announced Monday.

HP will offer US$24.67 per share, giving Aruba a $3 billion value. The deal is worth $2.7 billion taking into account Aruba's debt and cash.....'



'...The State Department says it needs to reconstruct its classified computer systems after suffering a hack the agency has said only affected its unclassified networks.....'

Cybersecurity in 2015: What to expect

'...Information security and privacy are perennially hot topics, but as 2015 gets underway the temperature seems to be turned up particularly high. Recent months have seen high-profile cyberattacks and actual atrocities that have focused the world's attention on topics surrounding data protection, encryption, privacy and surveillance as never before....’

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in February 2015
 Statistics - Sri Lanka CERT|CC


'....The Census Bureau is attempting to introduce the 2020 headcount to the digital age by offering the public the option of responding via the Internet.

Still five years away from that lofty goal, already the Government Accountability Office has spotted early warning signs that the bureau’s plan is not heading for an auspicious unveiling. The watchdog report released Monday detailed miscalculated timelines and costs for the project....'


The Power of Real-Time APIs - Apple Watch and BMW

'...One of the most exciting parts of this week's Apple Watch launch was the example of the BMW watch app.

This app allows you to see the charging status of your BMWi electric car, right from your wrist.

You can also check the status of the doors of your car (important information such as if they are locked or not!). Although the star of the show was the watch app, APIs had a cameo appearance, since the information shown on the watch is fetched in real-time from APIs.....

Google's follow-up to the high-end Chromebook Pixel is real

'...Cloud power-users, prepare to salivate: Google's back with a brand new version of its high-end luxury laptop. Oh yes, gang, it's true: It's the Chromebook Pixel, version 2.0. Like the original model, launched two years ago, the new Pixel is a top-of-the-line laptop for people committed to the cloud-centric Chrome OS lifestyle. It's similar to the first-gen device but with some significant improvements.....'




'.....It's not safe for humans to spend much time at the Fukushima-Daiichi power plant anymore. Four years ago, a massive tsunami hit the facility, triggering a core meltdown that earned the most severe ranking on the International Nuclear Scale—on par with the Chernobyl disaster in 1986. (It's worth noting, though, that far more radiation was released at Chernobyl than at Fukushima.)....'





'....The Central Intelligence Agency has secretly attempted for years to crack the security protections on a number of Apple products, including the iPhone and iPad, according to newly revealed documents from Edward Snowden....'

Notice Board
  Training and Awareness Programmes - March 2015
- 03/10/15 E-Learning content development programm for Pirivena Education Sector CHPD, Pelawatte
03/10/15 Internet safety Awareness - St.Mary's College, Kegalle
- Kegalu Vidyalaya, Kegalle
17-20/03/15 Workshop on planing grade 7 content CHPD
- 16-20/03/15 Training program for newly recruited teachers who are teaching for G.C.E.(O/L) Classes - ICT Lab , Ministry of Education

Brought to you by: