Casey Lang

Recent Posts

How to Avoid a Costly Incident in the Cloud

Posted by Casey Lang on Jul 7, 2016 10:19:35 AM


This post describes a scenario-based security incident that can have significant financial impact on a business operating a cloud environment, and portrays the development practices that could enable such an incident to occur with considerations for how to reduce the risks of this type of incident by appropriately applying secure development practices and security practices around the use of cloud services and web-based tools.


Read More

Topics: Breach, cloud

Cybersecurity – When You’re Not a Large Enterprise

Posted by Casey Lang on May 26, 2016 11:03:31 AM


Business owners rely on internet connectivity for everything from business operations, productivity and collaboration services to maintaining customer relationships. Unfortunately, the reliance on internet connectivity and cloud services also increases the risks and enhances the exposure to the threat of cyber crime. In addition to stealing money by fraud and deception with things like ransomeware, cyber criminals can also cause damage to your businesses reputation and put you out of business completely depending on the impact and headline worthiness of an incident. As a small business, the risk of a cyber incident or breach can be much more impacting on your ability to do business than a large enterprise that has the ability to absorb the costs that incident response may present.

A business can never be completely safe from the threat of cyber crime but most cyber attacks can be mitigated with some basic security practices. Online security should be taken as seriously as locking the doors of your business and storing cash and valuables in a safe location. Clients have the expectation and right to the security of their data and it's essential that steps are taken to prevent it from being exposed on the internet due to poor security practices. The following tips will enhance your defenses against cyber attacks:

Read More

Topics: Cyber Attack, cybersecurity

GRC: From the Top Down

Posted by Casey Lang on May 11, 2016 2:58:23 PM


The winds of change blow at gale force speeds when we talk about the IT industry and the need for information security that is becoming accepted as essential to doing business; recent high profile cases of large scale corporate hacks have shown how essential it is to have security programs in place. In this two-part post we will focus on Governance, Risk, and Compliance (GRC)- an increasingly important aspect of a mature information security program, and how you can begin to apply the concepts of GRC to your organization. First, we will discuss GRC at a high level, and how GRC should be applied from the top down in an organization, since governance, risk, and compliance ultimately falls on the executive team’s areas of responsibility. Next weeks post will provide information on three of the top GRC platforms, and will discuss the strengths and weaknesses of these products in supporting the automation and measurement of your information security capability.

Read More

Topics: eGRC

Why the FTC may be Involving Itself in PCI

Posted by Casey Lang on Apr 22, 2016 6:52:57 PM


In catching up on some reading from last month I noticed an interesting article about the FTC taking a hard look at the effectiveness of the PCI Data Security Standard (PCI-DSS) and assessor audit processes. Although I disagree with some of the assertions of the post, especially the statement that the PCI Data Security Standard is only a “core set of 12 basic requirements”, I do agree that the involvement and interest of the FTC in PCI assessment processes, methodologies, and practices is worth discussing.


So, why is the FTC involving itself? I believe the intent of this involvement could be two-fold: to push harder on assessor companies to move away from inadequate scoping and validation during PCI assessments, or the FTC has decided it should serve as a representative for the people involved in payment card breaches. 


Read More

Topics: PCI

Digital Hostage Taking: Ransomware's Impact on the Healthcare Industry

Posted by Casey Lang on Feb 26, 2016 11:17:36 AM

Ransomware_Blog_Post.jpgRecently, Hollywood Presbyterian Medical Center paid attackers for the decryption key that held the hospital’s systems and data hostage. While this style of attack is not new, increased attacks have businesses on edge. Ransomware is a malicious software that blocks access to a network or system until a ransom is paid. In many cases, the data is encrypted and there is no economical way to retrieve the data until the decryption key is given to the victim. Usually this only occurs when a ransom is paid. In the case of the Hollywood Presbyterian, they decided to pay the ransom of about 40 bitcoins, worth approximately $17,000.

Security consultants who have assessed healthcare practices have likely interviewed medical staff and got the strong sense (if not directly told) that their work was diverting attention away from patient care. This mentality is one of the reasons why the healthcare industry is facing challenges when it comes to information security. The culture of providing healthcare over all else, the justification for neglecting information security, has finally hit an impasse - patient health and safety was jeopardized by a cyber security incident. The attitude toward information security - the time it takes, the costs - has to change. It’s unfortunate, but it seems to have taken an incident like the one seen at Hollywood Presbyterian to highlight how information security actually aligns with the healthcare industries health-first ideals.

Read More

Topics: cybersecurity, ransomware

Where Should the Chief Information Security Officer Reside in Your Org Chart?

Posted by Casey Lang on Sep 15, 2015 3:06:00 PM

CISO-Org-ChartThe debate over the placement of the Chief Information Security Officer on the org chart continues, and the information security community seems to agree on the premise that separation of duties should ensure an information security function can operate autonomously, with a separate mission than an IT function. The opposing argument is also made, since successful information security programs exist today within the ranks of IT. However, there is little conclusion about common factors that contribute to the success of an information security program as it relates to organizational location of the CISO. So what might these success factors be?


A common concept is the need for management buy-in to an information security program. More than just buying in, the executive team should be thoroughly involved as a stakeholder and a governance participant for an information security program. A CISO must have the autonomy, visibility, and decision-making authority to set strategy, drive change, and have influence throughout the business. Reporting through the IT function without these can constrain the abilities of an information security function by forcing alignment with a mission that is narrow and contradictory to that of an information security program, limiting the exposure necessary to articulate information security initiatives upward.

Read More