Second-Guessing the CISO in an Emergency
Don’t do it. Wendy Nather shows an example of the kinds of constraints that organizations have to work with, and why they may make decisions that you don’t understand from the outside.
Wendy Nather
Head of Advisory CISOs
@wendynather
Wendy Nather is Head of Advisory CISOs at Cisco’s Duo Security, based in Austin, Texas. She was previously the Research Director at the Retail ISAC, as well as Research Director of the Information Security Practice at independent analyst firm 451 Research. Wendy led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation (now UBS), and served as CISO of the Texas Education Agency. She speaks regularly on topics ranging from threat intelligence to identity and access management, risk analysis, incident response, data security, and societal and privacy issues. Wendy is co-author of The Cloud Security Rules, and was listed as one of SC Magazine’s Reboot Leadership “Influencers” in 2018 and Women in IT Security “Power Players” in 2014.
What To Do if You Must Use SMS
Despite everything we know about the risk of SIM hijacking as a vector of compromise, there’s no way that we can reasonably tell organizations to stop using SMS authentications.
The Multi-Factor Factor (or How to Manage Authentication Risk)
When CISOs do threat modeling, we come up with all sorts of attacks and more. Then we have to pick the controls that address as many of the risks as possible, and factor in all of the factors to allow authentication.
Upending Old Assumptions in Security
Every time you think you’ve figured out this risk management thing, something else happens to torpedo your hidden assumptions. We have to adapt to circumstances of technology use that we might not have foreseen in life and in security.
Consumerize Your Security With Better Design
The blurred lines between personal IT and business IT have a couple of implications. One is that sometimes the only difference between work and home is the login name you use for that SaaS application. The other implication is that when you’re using the same software as a consumer and as a worker, you get used to the ease of consumer-grade experiences and you don’t want to give them up.