I N F O R M A T I O N

ECURITY
S

DECEMBER 2016
VOL. 18 | NO. 10

DEDICATED CISO JOB

STILL QUESTIONED

HIGH-STAKES ROLE:
MGM RESORTS CISO
SCOTT HOWITT

AFLAC CISO TIM

CALLAHAN ON
GLOBAL SECURITY,
RISK
REPORT:
CYBERSECURITY
CAREER DATA

DEDICATED
TO
INFORMATION
SECURITY
With CISOs on the rise, the position calls for technical, business
and leadership talent. Who wouldnt love this job?

BUILDING A
CYBERTHREAT
INTELLIGENCE
CAPABILITY
ANAHI SANTIAGO:
HEALTHCARE
INFOSEC LEADER

ITS TIME TO
CLARIFY
OWNERSHIP OF
RISKS IN THE CLOUD

E D IT O R S D E S K

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

Dedicated to Information Security

The CISO job description is always up for debate. Is it a technical role,

or is it moving out of the IT department to influence broader security
and risk management initiatives? BY KATHLEEN RICHARDS

HE HEAD OF information security is a role

that differs from company to company.

Some organizations assign the job title in
name only. Others view the CISO job as
primarily a technical role. Large enterprises look for a seasoned executive who can lead the information security program (read: build one that works)
and implement cybersecurity policies tailored to business
strategy.
Ten years ago, we were buried in the infrastructure
team, and we were known as the security guy or gal,
says Scott Howitt, senior vice president and CISO at
MGM Resorts International, who is profiled in this issue.
In Howitts view, the CISO role has been elevated, in some
cases, to an executive level on par with the CIO.
At Fortune 500 companies, the CISO job description

2 INFORMATION SECURITY

DECEMBER 2016

is less about technology proficiency and more about information securityintellectual property and data protection, risk management, forensics and investigation,
business continuity and disaster planning, regulatory
compliance, data privacy issuesand strategic security
initiatives. Building a threat intelligence capability and
communicating risk to non-security executives, especially
ownership of risk in the cloudas Dave Shackleford explains in his columnare two areas that will receive increased scrutiny in 2017.
Cybersecurity is not really a technical venture, says
Larry Larsen, CISO of the Apple Federal Credit Union. It
is a behavioral venture in a technical environment, and
that is where the counterintelligence approach comes in,
he tells Jaikumar Vijayan, who reports on cyberthreat intelligence programs for this issue.

E D IT O R S D E S K

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

Should the CISO influence the IT organization or be

part of it? This is an ongoing debate. The first CISO was
brought in to perform a business functionnot ITin
the mid-90s. Steve Katz was hired at Citicorpbefore
the blockbuster merger with Travelers Group in 1998,

Building a threat intelligence

capability and communicating risk
to non-security executives are two
areas that will receive increased
scrutiny in 2017.
which created Citigroupafter the banking giant was
breached. Citicorp executives realized that they needed
an executive-level security function to protect their financial services business. Yet companies today do not allocate resources for a dedicated security officer, and the
CISO job description is still unclear to many business executives. Funding is an ongoing issue as well because the
position does not generate revenue.
Is the organization safer with a CISO? Thats the bottom line.
The Obama administration appears to have come
to that conclusionafter the Office of Personnel

3 INFORMATION SECURITY

DECEMBER 2016

Management breachwith the September hiring of the

first Federal CISO, retired Brigadier General Gregory J.
Touhill, a move pledged in Cybersecurity National Action
Plan. (Will this be a CISO position in name only, as some
have suggested?) As Touhill works to implement cybersecurity policies and best practices across agencies, he
will have help in the form of Acting Deputy CISO Grant
Schneider, the former CIO at the Defense Intelligence
Agency and, most recently, director of cybersecurity policy for the National Security Council.
This CISO job is not going to get easier. Rapidly
changing infrastructure, untethered devices and the internet have ushered in vulnerabilities and threats that have
increased the challenges of securing data and information
systems. The CISO position continues to demand technology knowledge, business acumen and cybersecurity
skills. In this special CISO edition of Information
Security magazine, we talk with chief information security officers from different industriesentertainment, financial services, healthcare, retail and technologyabout
the evolution of the CISO position and some challenges
ahead. n

KATHLEEN RICHARDS is the features editor ofInformation

Securitymagazine. Follow her on Twitter:@RichardsKath.

H IG H - S TA K E S R O LE

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO

SCOTT HOWITT,
CISO OF MGM
RESORTS
INTERNATIONAL

Many companies are making the

CISO a peer to the CIO or taking
the position out of IT altogether,
Howitt says.

SHACKLEFORD:
OWNERSHIP OF RISK

By Alan R. Earls

4 INFORMATION SECURITY

DECEMBER 2016

THE ROLE OF CISO can keep you up nights, but it has its

lighter moments. Scott Howitt, senior vice president and

CISO at MGM Resorts International in Las Vegas, likes to
tell about the frantic call he got from an executive at one
of his previous positions: Russian gangsters had broken
into his machine and were threatening him. I thought
that was odd behavior for Russian cybercriminals as they
are usually only after money, Howitt recalls. The reality
turned out to be less frightening. The executives son had
installed spyware on his fathers PC and would turn on
the webcam to spy on him at work. Then he would make
phone calls in a Russian accent and tell his father that he
was watching him. It was meant as a prank, but when my
cyber team discovered the truth, the executive was a little
embarrassed, Howitt says.
In his 26 years of experience, Howitt has held various
technology and leadership positions. Prior to joining
MGM Resorts International, Howitt was the vice president and CISO at JCPenney and director of information
security at Alliance Data Systems. As a founding member of the advisory board for the Retail Cyber Intelligence

H IG H - S TA K E S R O LE

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

Sharing Center (R-CISC), which is dedicated to public

and private security information sharing, and as a member of the Nevada Commission on Homeland Security
Cyber Security Committee, he shares his hard-won
expertise.
How have you seen the role of CISO evolve in recent
years, and what changes do you anticipate in the
future?

The change that really strikes me is the elevation of

the role of CISO. Ten years ago, we were buried in the
infrastructure team and we were known as the security
guy or gal. Some forward-thinking companies had a
CISO, but most did not. Now it is seen as a key role, and
many companies are making the CISO a peer to the CIO
or taking the position out of IT altogether. The CISO now
has regular meetings with the audit committee and often
the full board. With digital enablement and the internet
of things, there are many new challenges that may not
involve IT that still require CISO awareness.
In your career, what are some of the initiatives or
accomplishments that you feel were most significant?

After the Target breach, there was a big panic amongst

retailers. Many companies had let their security lapse,
and some did not even have a security department, let
alone the role of CISO. A group of concerned retailers met at the National Cyber-Forensics and Training

5 INFORMATION SECURITY

DECEMBER 2016

Scott Howitt

H IG H - S TA K E S R O LE

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD

Alliance, and the idea for the Retail Cyber Intelligence

Sharing Center was born. A group of about 10 companies led the charge on establishing the 401(c)3. JCPenney
was one of the founding companies, and I have been on
the board of R-CISC since the start. The sharing of cyber
ideas and threat analytics is rewarding because you are
not only helping your company, you are helping the cybercommunity as a whole. I feel very fortunate to work
with the members of the R-CISC and have enjoyed seeing
it grow from an idea to vibrant organization.

Slow down and dont be so quick to click on that link or

open that attachment. Cybercriminals prey on peoples instinct to complete a task or help a person in distress. That
is why so many of the phishing attacks use tactics like
Someone has your password; reset your password now,
or they will use tragic events like natural disasters to lure
people into giving out their information. If you feel you
need to reset your password or you want to make a charitable contribution, go directly to the website and do it;
never click on links. n

When you speak to others about cybersecurity,

what are your typical bits of advice?

ALAN R. EARLS is a Boston-based freelance writer focused on

business and technology.

RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

6 INFORMATION SECURITY

DECEMBER 2016

G L O BA L CIS O

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO

TIM CALLAHAN,
CISO OF AFLAC

With todays cyberthreats, the

CISO has to know more about
intelligence, information sharing,
working with government and
private industry, and how to tailor
the security program to further
the business, Callahan says.

SHACKLEFORD:
OWNERSHIP OF RISK

By Alan R. Earls

7 INFORMATION SECURITY

DECEMBER 2016

TIM CALLAHAN IS the senior vice president of global

security and CISO at Aflac Inc.an insurance provider

based in Columbus, Ga.whose iconic white duck has
successfully branded the Fortune 500 company in the
U.S. and Japan. The Aflac CISO is in charge of the global
security program, including all security operations, IT
compliance and risk management.
He has held several prominent leadership roles in
financial services. Prior to Aflac, as senior vice president
of enterprise business continuity and information
assurance at SunTrust Banks Inc., Callahan was
responsible for leading the risk management team and
integrating multiple information security functions to
provide a unified approach to threat and vulnerability
management, mitigation strategies and incident response.
He also served as first vice president and CISO at Peoples
United Bank.
Prior to his work in the private sector, Callahan was
a military professional for 23 years, ultimately serving a
command risk management function as a program manager at a United States Air Force Major Command.

G L O BA L CIS O

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

Callahan has chaired numerous conferences,

including six years at the annual IT Governance, Risk
and Compliance Summit. This year, the Aflac CISO
became the inaugural board chair of the National
Technology Security Coalition (NTSC), a nonprofit organization formed in January by the
Technology Association of Georgia. The coalitions mission is to further CISO development
and build awareness of information security
policies and legislation.
What has led to your involvement in
the National Technology Security Coalition, and what are your priorities
as chairman of the board?

I think the major role of National

Technology Security Coalition is
to be seen as an honest broker and
partner in helping to educate legislatures and policymaking arms
of the government. To gain [that]
level of trust and respect, NTSC
must remain nonpartisan. As
we build the coalition, I hope to
ensure that all board members
and sponsors stay aligned to
the overriding goal. I think we
can hold events that promote

8 INFORMATION SECURITY

DECEMBER 2016

these goals and that also help educate CISOs on how they
can be more impactful in public policy decisions that are
good for America and good for our business climate. We
must always seek to serve the larger good and protect
the consumer.
How have you seen the role of the CISO evolve
in recent years?

The CISO has evolved from a technical security

role to that of a corporate executive with a risk
management focus. Due to the emerging nature of the cyberthreat, the CISO has
to know more about intelligence,
information sharing, working with
government and private industry
counterparts and how to tailor
the security program to further
the companys business.
Security is no longer an IT
issue. It is a business imperative, especially in industries
where you have clients private
information. The CISO will
continue to evolve in the aspect of business partners
and will be relied on more to
Tim Callahan

G L O BA L CIS O

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

ensure the investment in security is meeting business

needs.
As the Aflac CISO, what do you find interests the
board of directors the most? What do you think
boards typically need to focus on to have a better
understanding about cybersecurity in their role as
corporate stewards?

Each board member can be unique in what interests

them the most. Some are interested in statistics about the
number of attempts, while [others] are interested in the
threat trend and how it affects the company. However,
on a whole, they seem most interested in how we have
identified the risk/threat to our environment. Are the
measures were taking to address the threats effective?
Are we staying with or leading the industry? And do we
have the right level of executive focus and support?

9 INFORMATION SECURITY

DECEMBER 2016

How has your background in risk management,

particularly in the Air Force, informed your work in
cybersecurity?

The training and experience I gained in the Air Force,

particularly in the role I had, has helped me recognize
risk and almost instinctively classify the risk based on
the severity or penalty if the risk is realized. By recognizing these aspects of risk, it helps me make more reasonable decisions about how we should address it. In a world
where there are so many threats, one does not want to
overemphasize one risk to the detriment of another. This
should not be a guessing game, but be as conscious and
prescribed as possible. n

ALAN R. EARLS is a Boston-based freelance writer focused on

business and technology.

CA R E E R D ATA

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

Cybersecurity Leadership Requires

Seat at the Executive Table

Almost 70% of those surveyed said their organizations had a CISO or CSO function,
but active participation with upper management and boards of directors is still
limited at many companies.

Organizations with a CISO or CSO

Does your organization have a CISO, CSO or similar

executive-level cybersecurity position in place
today?

67%

CISO Reporting Structure by Size of Organization

What is the reporting structure for the CISO in your
organization?

n <1000 (N=82)
n >1000 (N=211)

49%

Yes

40%

38%
27%

No plans to add a CISO, CSO or similar position

4%

No, but our organization is interested in creating

a CISO, CSO or similar position in the future

2%

No, but organization plans to add a CISO, CSO

or similar position within the next 12 to 24 months

SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
INFORMATION SYSTEMS SECURITY ASSOCIATION (ISSA), 2016; BASED OFF OF RESPONSES FROM 437 IT AND
SECURITY PROFESSIONALS WORLDWIDE

10 INFORMATION SECURITY

DECEMBER 2016

16%

CISO reports
to CEO

35%

22%

CISO reports
to CIO

CISO reports to
someone other than
CEO or CIO
(or dont know)

SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
ISSA, 2016; BASED OFF OF RESPONSES FROM IT AND SECURITY PROFESSIONALS WORLDWIDE

CA R E E R D ATA

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT

CISO Reporting Structure

Currently, your organization has a CISO, CSO or similar

executive-level cybersecurity position in place. Which
of the following titles best represents to whom this
person reports?

THREAT
INTELLIGENCE
OVERLOAD

Chief Legal Counsel

1%

2%

Dont know

Chief Compliance Officer

37%

Very active (meets with executive management or the

board of directors at least once per quarter)

22%

Active (meets with executive management or the board

of directors at least twice per year)

10%

Somewhat active (meets with executive management

or the board of directors at least once per year)

10%

Yes, but on an ad hoc basis when executive management

or the board of directors specifically calls for a meeting

Chief Risk Officer

5%
8%

Other

RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

Is your organizations CISO, CSO or similar executivelevel cybersecurity position an active participant with
executive management, the board of directors or a
similar oversight group?

2%

GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA

Top-Level Participation

COO

41%

8%

CIO

11%
Senior IT
manager who
reports to CIO
(i.e., VP level)

22%
CEO

SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
ISSA, 2016; BASED OFF OF RESPONSES FROM 293 IT AND SECURITY PROFESSIONALS WORLDWIDE
CREDIT: ERHUI1979/ISTOCK

11 INFORMATION SECURITY

DECEMBER 2016

6%
15%

No

Dont know

SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND
ISSA, 2016; BASED OFF OF RESPONSES FROM 293 IT AND SECURITY PROFESSIONALS WORLDWIDE

CA R E E R D ATA

HOME

Skills and Attributes of Top CISOs

Which of the following are the most important qualities of a successful CISO? (Multiple responses allowed.)

EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

50%

Leadership skills

47%

Communication skills

30%

A strong relationship with business executives

29%

A strong relationship with the CIO and other members of the IT leadership team

23%

Management skills

22%

Technical acumen

19%

Strong knowledge about regulatory compliance and legal matters

18%

Business acumen

17%

A long tenure as a cybersecurity professional

14%

Past experience working in an IT department

10%

Years of experience as a CISO or in a similar role

9%

Operational skills

1%

Law enforcement or military experience

SOURCE: THE STATE OF CYBER SECURITY PROFESSIONAL CAREERS, ENTERPRISE STRATEGY GROUP AND ISSA, 2016; BASED OFF OF RESPONSES FROM 437 IT AND SECURITY PROFESSIONALS WORLDWIDE
CREDIT: ERHUI1979/ISTOCK

12 INFORMATION SECURITY

DECEMBER 2016

T H R E AT IN T E L L IG E NC E O VE RLO AD

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD

SEVEN WAYS
TO AVOID
THE FEEDING
FRENZY

Cyberthreat intelligence is
just data if it is not actionable.

RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

By Jaikumar Vijayan

13 INFORMATION SECURITY

DECEMBER 2016

AS A FORMER security analyst with a government con-

tractor, a lot of the work that Larry Larsen did for federal
agencies involved extensive use of threat intelligence in
cyberdefense strategies.
We were seeing so many different attacks from so
many different sources against government, it was an
operational imperative to know where it was coming from
and why, Larsen recalls.
Today, as the chief information security officer at
Apple Federal Credit Union in Fairfax, Va., Larsen sees
a lot of value in applying similar methods in a threat
intelligence program designed for dealing with the multifaceted threats directed against his current employer.
Cybersecurity is not really a technical venture, he
says. It is a behavioral venture in a technical environment, and that is where the counterintelligence approach
comes in.
Most companies have firewalls, antivirus and other
IT security tools they can plug into their network infrastructure. But that often doesnt tell security analysts
anything about the source of the attack or who is entering

T H R E AT IN T E L L IG E NC E O VE RLO AD

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

Larry Larsen

through the side door.

I want to know who is sitting
at the keyboard launching these
attacks and what they are trying
to get, Larsen says. Is it just
financial data? Is it part of a
broader information-gathering
campaign? Is it something they
are collecting to use for a more

catastrophic attack?
Larsen is among a growing number of security officers
who have implemented a threat intelligence capability to
help steer the technical aspects of their security program.
In 2015, the threat intelligence market accounted for a
somewhat modest $190 million in revenues, according
to analyst firm IT-Harvest. But it is expected to top $460
million this year and over $1.5 billion in 2018.
Driving the market is the growing focus on aligning
security efforts closer to actual needs and enabling
better situational awareness based on the specific nature
of threats that an organization faces. Digital Shadows,
headquartered in San Francisco and London, provides
these types of servicestailored threat analysis and alerts,
dark web searches for stolen data and credentials, and
morethrough its SearchLight platform.
Its about knowing what is going on around you
so you can figure out what to do, says Rick Holland, a
longtime Forrester Research analyst, who is currently vice

14 INFORMATION SECURITY

DECEMBER 2016

president of strategy at Digital Shadows and co-chair of

the SANS Cyber Threat Intelligence Summit.
Situational awareness requires tools that provide
visibility both inside and beyond the perimeter of an
organization, he says.
Here, according to Larsen and other security experts,
are some of the things you need to keep in mind when
implementing a cyberthreat intelligence capability.

TAP YOUR INTERNAL INFRASTRUCTURE FIRST

A lot of the data that you need to build a robust
situational awareness capability resides inside the
organization. Data from application logs, intrusion
detection and intrusion prevention systems, firewalls,
endpoint antivirus systems and other security controls
can tell you a lot about whats going on inside your
network and the vulnerabilities and exposures you face,
notes Bill Podborny, CISO at Alliant Credit Union in
Chicago.
It can tell you whos knocking on your network, whats
already inside, and what normal user and network behavior looks like. Importantly, he adds, the data you collect
from your internal systemsusing security information
and event management (SIEM) or a data collection and
analysis tool such as Splunkcan help you identify gaps
and exploitable vulnerabilities in your security controls so
you can prioritize your response.
Too often, organizations focus on using outside threat

T H R E AT IN T E L L IG E NC E O VE RLO AD

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

feeds and threat data. They fail to tie the information

back to what is going on inside their own network
because they dont have enough visibility.
The best source of intelligence is your own data,
says James Carder, CISO at SIEM provider LogRhythm,
based in Boulder, Colo. The companys Unified Security Intelligence Platform combines log management,
endpoint and network monitoring, SIEM and security
analytics.
If you dont have the infrastructure part in place, you
cant take intelligence data into your organization. You
cant operationalize it if you dont look at your own data,
Carder says.

MAKE USE OF INTRUSION DATA

Any approach to building a threat intelligence program
should include processes for collecting and analyzing
different malicious behaviors inside the network; threat
intelligence data from within your particular industry, be
it financial services, healthcare or retail; and, only then,
threat data from the broader world beyond your line of
business.
Organizations must gather threat intelligence from
the actual intrusions occurring within the environment,
Holland notes.
For instance, the security organization should
monitor and collect data about exploits and botnet
activity, command and control traffic, malware delivery

15 INFORMATION SECURITY

DECEMBER 2016

mechanisms and file exfiltration.

You need to be able to gather IP addresses, malicious
domain names, file hashes and other indicators of
compromise from an attack on your organization and
use that information to quickly identify similar attacks
targeting your network in the future. The goal must be
to have controls for spotting expected and unexpected
threats and correlating behavior with identified
threats.
There is no more relevant threat intelligence than
what is actually occurring within your organization,
Holland says.

ITS ABOUT QUALITY, NOT QUANTITY

One common misperception surrounding threat data is
that you need a lot of it to be really effective. The reality
is that, unless your organization has the staff and the
resources to sift through massive data sets looking for the
proverbial needle in the haystack, what you need to be
focusing on is threat data quality.
I dont care if you send me 500 TB of data every
day, says Larsen of Apple Federal Credit Union. I would
rather have 1,024 KB of information that I actually can
use.
The key when subscribing to threat feeds is to select
those that help you answer the so what questions,
Larsen adds. There are any number of feeds and services
that provide information on emerging threats and threat

T H R E AT IN T E L L IG E NC E O VE RLO AD

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

actors but fail to identify why your organization should

care about it.
It is not unusual for multiple threat services to
use threat feeds from a single source. So a lot of the
information coming at your security operation could be
duplicate data as well.
Organizations must stay clear of trying to subscribe

to all the feeds, Holland advises. Threat intelligence

that isnt relevant to your business, to your threat model,
is going to overwhelm your security staff and security
controls. On the other hand, relevant threat intelligence
reduces the noise that security teams must address,
freeing them to focus on smaller and more relevant
incidents, he adds.

The Importance of Finished Intelligence

WHEN SUBSCRIBING TO a threat intelligence service, choose a provider who can customize the service to your specific

requirements, advises Josh Zelonis, senior analyst with Forrester Research. It would be irresponsible for someone to
recommend a threat feed without an understanding of your specific organization and the motivations of threat actors
who would target you, he says.
According to Larry Larsen, CISO at Apple Federal Credit Union, the goal should be to try and get finished intelligence
to the extent possible from your service provider. Theres a difference between finished intelligence and just
information, says Larsen, whose company has subscribed to a customized threat intelligence service from SurfWatch
Labs. Finished intelligence is information you can take, digest and act upon immediately.
For instance, its one thing to get intelligence that a threat actor was identified on the dark web offering Yahoo
accounts for sale. Its another thing entirely to know that Yahoo accounts belonging to 48 people in your organization
were available in that data dump.
Threat intelligence needs to be tailored for your organization in a manner that it informs strategic and tactical decision-making, Zelonis says.
Anything that has not been enriched to this level is just data and should be avoided if you do not have the
capabilities in house to perform this enrichment. J.V.

16 INFORMATION SECURITY

DECEMBER 2016

T H R E AT IN T E L L IG E NC E O VE RLO AD

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

THINK LIKE THE ENEMY

Take a risk-based approach when implementing
a cyberthreat intelligence practice. That means
understanding potential targetswhere your most
valuable resources areand how they are protected. And,
sometimes, the best approach for doing that is to think
like the enemy, according to Larsen. If Im a bad guy,
what would I steal and how would I steal it?
Its important to know the main threat actors and the
different technologies, techniques and processes they
have used or are using to target similar organizations.
What attack vectors do they usually exploit? What data
are they after and why?
Do your main threats come from malicious insiders,
external threat actors, state-sponsored entities or criminal
gangs? Or are they from users who inadvertently click on
attachments in email they receive from strangers?
I tell my folks they have to maintain a sense of
healthy paranoia, Larsen says. You really have to
bombard your employees, especially those close to the
cyberdefense mission, with recurrent awareness
training.
TAKE A RISK-BASED APPROACH
For threat intelligence to be really useful, you need to
have a keen understanding of the risks that your organization faces from these threats, states Ryan Stolte, cofounder and CTO of Bay Dynamics, a San Francisco-based

17 INFORMATION SECURITY

DECEMBER 2016

security vendor that offers Risk Fabric, an automated

platform that incorporates user and entities behavior
analytics.
You need to have a threat and vulnerabilityand
some value at risk, Stolte says. Some threats are not
relevant because your data or other assets are not at risk,
he adds. If you just have a threat and there is nothing to
lose, who cares?
The goal of a threat intelligence program should
be about protecting the confidentiality, integrity and
availability of your critical assets whether it is a website, a
payment system, a database or intellectual property. You
need to understand where your important assets are and
what would happen if they become unavailable.
Is your biggest risk the loss of intellectual property,
reputational damage or loss of customer confidence?
At the end of the day, I am trying to understand: If I
were to fix one thing today, what would I do that reduces
risk the most? Stolte says. If I were to fix 100 things
today, what would those be and why?

START SMALL
When implementing a cyberthreat intelligence practice,
it is easy to get overwhelmed, Podborny observes. Dealing
with threat intelligence data can be like drinking from a
fire hose unless you have a good process in place for consuming and acting upon the information that is pouring
in from internal and external sources.

T H R E AT IN T E L L IG E NC E O VE RLO AD

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

Try to get some wins and

successes first, he says. Figure
out how you are going to bring in
threat data and what you are going to do with it so you can learn
from the process and then build
from there.
A win would be: You are able
Bill Podborny
to be proactive about any specific
event that could have happened to you, or where you can
prove it could have happened to you, if the event never
occurred, Podborny says.
The key to implementing a cyberthreat intelligence
program is not to let great come in the way of good, Stolte
notes.
Dont get ahead of yourself, he says. Plan for what
you are going to do. Turn on some data first. Make sure
you are getting results and you are able to take action on
those results, he adds, before rolling out the program
enterprise-wide.

STICK WITH STANDARDS

Pay attention to emerging technologies and standards.
The success of your threat intelligence program depends
on your ability to ingest data and act upon it either in an
automated fashion or through manual sorting.

18 INFORMATION SECURITY

DECEMBER 2016

You need to be able to parse out the data to a point

where you are able to see if it is enough to be actionable
or if it just an FYI, Podborny notes. A big piece of threat
intelligence is about correlating data and trying to take
proper action against it.
Threat feeds and services that support information
sharing specifications, such as Structured Threat Information eXpression (STIX) and Trusted Automated eXchange
of Indicator Information (TAXII), represent information
in a standard format and are easier to automate and share
than nonstandardized data.
Enterprises are learning that technology alone isnt
enough when it comes to a successful threat intelligence
program, according to Digital Shadows Holland.
Technology must enable and expedite the analysis of
humans.
We are starting to see more traction with standards
like Structured Threat Information eXpression, which is
pushing threat intelligence players to all speak the same
language, he says. This will enable defenders to prevent,
detect and respond to adversaries with more agility. n
JAIKUMAR VIJAYAN is a freelance writer with over 20 years of

experience covering the information technology industry. He is

a frequent contributor to Christian Science Monitor Passcode,
eWEEK, Dark Reading and several other publications.

H E A LT H CA R E L E A D E R

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT

A CISO of a Major Healthcare

System Looks Back

Anahi Santiago of Christiana Care Health System has spent much of her career in
healthcare information security. We are under attack, she says. BY MARCUS RANUM

GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

MARCUS RANUM: Lets start with the beginning!

How did you get into security?

ANAHI SANTIAGO: I had the benefit of working in project

management for a systems and technology company, and

I led a lot of large international infrastructure projects.
That gave me access to all kinds of technology: systems,
databases, web technology, programming, servers, you
name it. Every single one of them had a security component. I started to gravitate toward the security part of it
and got to pick security as the thing that I wanted to do.
Its rare for someone to gravitate toward security,
which is why I think the security aspects of many projects get neglected. Does that match your experience?

I think the company I was working for was pretty good

about that. This was over a decade ago, but they took

19 INFORMATION SECURITY

DECEMBER 2016

security seriously and baked it into all the projects that

they did. They had a very in-depth security approach and
a good team that taught me the trade.
So you got exposed to security being done right.
A lot of people came at it the other wayfinding flaws
and fixing screw-ups. Theyre 90% of the way into a
project, and someone says, Oh we forgot about that
stuff.

Every project plan I did had a security component; [each]

architecture had security in it. There were standards,
policies and procedures established from the beginning,
so it was really easy for me to consume all of this information and understand it to the level that I was able to
adopt it. And I took that approach when I went to healthcare as a field.

H E A LT H CA R E L E A D E R

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

I know theres a tremendous amount of focus on healthcare information security right now. Back in the 80s,
when I worked at a large hospital in Baltimore, information security in healthcare really wasnt on anyones radar at all. Is that changing?

It is! I started in healthcare information security and got

my first information security officer jobwith a different
healthcare networkin 2005. At that time, I was the only
security person. I was hired in January, the security role
came into effect in April, and HIPAA is the reason that I
was hired.
I was able to build a program with a lot of support
from the organization, which was great. I worked there
for 10 1/2 years and was able to see the industry progress
and adopt security as a whole. For probably a year before
I left, I would get a call from recruiters at least once
a week: Big, reputable healthcare organizations were
looking for their first CISO. That was very eye-opening.
Its still happening, but less so. There are still a lot of
organizations that are building programs and lack a senior
leader in security.
Would you say that HIPAA has been largely beneficial?
I think that it was controversial at first.

The HIPAA security rule of 2005 was mildly effective in

my opinion. HITECH was passed in 2009, and the subsequent omnibus rules and breach notification rules
where HIPAA was given more teeththat was when

20 INFORMATION SECURITY

DECEMBER 2016

organizations started to pay attention. When the Office for Civil Rights started to levy significant fines, thats
when people started to really get serious about security.
A few years ago, I would have said that healthcare
information security was the worst for a long time,
but now government has probably surpassed medical
as the worst.

Education is still pretty behind. One would have thought

[government] was on the leading edge with FISMA [the
Federal Information Security Management Act], but were
now learning that theyre not as good as they seemed.
Many security people are both intuitive and organized
or someone organizes for themand that often
produces unorthodox characters. What strengths or
weaknesses have supported your career?

I have a degree in electrical [and] computer engineering.

Thats where all the analytical and methodical skills
come from: all those ones and zeros. My concentration
in college was robotics, and I really wanted to design
robotsI thought that the math was fascinating. But then
I discovered that Im a people person, and the idea of
sitting behind a keyboard, in a trance, wasnt for me. So I
moved away from engineering and into IT so Id have the
people aspects but still be able to tap into the fascination
with technology that I have. The combination of people
skills and technical skills has enabled me to transition

H E A LT H CA R E L E A D E R

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

into what [a CISO is] nowa forward-thinking, businessenabling technologist.

I used to read this magazine, Circuit Cellar, written
by a guy named Steve Ciarcia [an embedded controls
systems engineer]. He had a tagline that read, My favorite programming language is solder. I was talking
with someone about that at a conference, and Dan
Geer wandered by, overheard me, ducked in, and said,
My favorite programming language is people. I think
thats a pretty good summary of the CISOs job. Were
you interested in robotics as a child?

I wanted to go into aerospace engineering. I decided that

was what I wanted to do when I was 13 years old. Both of
my parents are scientistsPh.D.s who taught for all of
their lives. I just grew up loving math and the sciences.
But right as I started college, the aerospace industry
fell apart. My parents told me, Go to school for electrical engineering. There is a lot of electrical engineering in
aerospace and you can get a job in other disciplines. If you
just focus on aerospace, you may have trouble getting into
other disciplines.
Once I started my degree in electrical engineering, I
also got interested in computers, so I got a dual degree. I
loved signals and controls, imaginary and complex numbers, things that are intangible but become useful when
you apply them. Combine them all and you get robotics. I do remember having a lot of respect for one of my

21 INFORMATION SECURITY

DECEMBER 2016

professors who taught robotics,

and Im sure that was an influence as well.
Project management is what got
you interested in security, but
how did you wind up interested
in project management? Theres
Anahi Santiago
a very specific set of skills that
are necessary for that. How did you develop them?

Organically. I was hired into a contractor/consulting

companys engineering and testing lab, and my initial
role was to take off-the-shelf applications and make them
fit the companys security model. I was a project team
member and became better versed in the technology and
have always had pretty good leadership skills, so I started
taking action on projects that werent progressingand
naturally moved into project management.
What can a modern CISO do to make the state of
medical informatics better? Weve got devices that have
to be certified, so they cant be upgraded easily, but they
have to be in patient-accessible areas. There are some
basic conflicts there, and computing is just going to
keep getting more important.

There are two parts to that question: What can a CISO do

internally within their own organization? And what can
a CISO do to effect change in the industry? Our role is to

H E A LT H CA R E L E A D E R

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

do both!
Internally, it really starts with education. People are
the most important asset in any information security
programit starts with educating people about the risks
and helping them [to] understand how that ties to patient
safety. At the end of the day, they live and breathe patient
care, and they will do anything to have good outcomes
and make patients lives better. If you can connect
information security to patient safety, you can now
connect to your clinicians in language they understand.
When I talk to them about clinical devices that are on
old, unsupported operating systems that are measuring
some critical data about a patient, [I] have to bring
integrity into the picture: Do you really have the right
information?
I talk to them about ransomware and how if we dont
apply good data hygiene and we are infected, you could
potentially not have access to your clinical information
when you need it. It puts patient lives potentially at risk.

22 INFORMATION SECURITY

DECEMBER 2016

And they understand that. Then they start to listen to why

security is integral to the continuum of care.
On the second piece, as healthcare leaders, we need
to collaborate and share information as well as be active
with the regulators. We need to build bridges and communities: Healthcare is under attack. We are the single
most attacked industry in the U.S. right nowthere are
a vast number of reasons for thatso we have to build
economies of scale by talking to each other about our
needs. Hackers are very collaborative, and as leaders in
healthcare information security, we need to start doing
the same. We have a great healthcare information security
community here in the Philadelphia area. We need that at
a national level. n
MARCUS J. RANUM, the chief of security at Tenable Network
Security Inc., is a world-renowned expert on security system design
and implementation. He is the inventor of the first commercial
bastion host firewall.

T H E H Y B R ID L IF E

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

Its Time to Clarify Ownership

of Cloud Risk

Business leaders sign off on cloud but fail to understand their accountability.
BY DAVE SHACKLEFORD

OMPANIES WANT TO use cloud-based

services and applications; thus, security

teams need to assess the risk and come
up with controls that work in cloud
environments. Sounds simple, right?
Securing cloud assets presents numerous challenges,
howeverfrom controls that dont translate well to lack
of transparency from cloud providers. And one of the
most pressing concerns sits squarely with the CISO:
pushing for more ownership of cloud risks within the
business.
CISOs juggle a lot of security responsibilities,
including overseeing technical project teams and
communicating cloud risks and possible resolutions to
other executives and board members. Unfortunately, its
a common misperception that the information security

23 INFORMATION SECURITY

DECEMBER 2016

organization owns the risks of IT projects, whether on

premises or in the cloud. For CISOs trying to be flexible
and amenable to rapidly changing and competitive
business requirements, its all too easy to gloss over this
issue when discussing cloud providers, security controls
and deployment scenarios with other stakeholders.
The time has come for security officers to steer the
conversation toward risk assessment and review so that
business owners actually understand the cloud risks
presented and sign off on themnot the information
security organization.

MATURE RISK ASSESSMENT

In many organizationsat least, the ones I work with
security teams are still struggling to develop and implement mature risk assessment and review processes for

T H E H Y B R ID L IF E

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

cloud projects. The reasons are manynot enough resources on the security team, apathy from management,
slow adoption of changes, pushback from DevOps teams
and more. Buy-in from vendor management and procurement teams, with involvement from legal teams, is also

Security officers should ensure

that the business leaders realize
that they do, in fact, own these
risks.
critical in properly evaluating risk in contracts. Security
officers should balance the input and involvement from
all of these teams to provide objective recommendations
regarding cloud risks. Its important to ensure business
leaders understand the following:
assets to the cloud does not in any way
absolve the organization of responsibilities in
protecting systems, applications and data.

all stakeholders will likely be making decisions with

limited information.
Compliance

requirements will need to be carefully

reviewed prior to any cloud deployment, and this will
require extra resources and time. In addition, for data
governed by compliance and regulatory statutes, any
cloud provider selected will have to meet all necessary
requirements.

Legal

and vendor management teams will need to

review any contract language carefully, requiring
additional resources and time. Any new cloud service
provider will have to be thoroughly scrutinized before
business units sign up for applications and services.

There

is a high likelihood that not all in-house

security controls and processes will work in the cloud
environment, which may jeopardize compliance status
or increase cloud risks significantly.

Moving

Cloud

providers are not wholly transparent in

disclosure of security controls and internal security
practices and processes. Any discussion of risk, as well
as acceptance of risk, must come with the caveat that

24 INFORMATION SECURITY

DECEMBER 2016

Additional

products and services may be necessary to

help create parity with the organizations current inhouse security status. Reviewing options will take time
and resources, and its highly likely that additional costs
will be incurred to ensure coverage in the cloud. This
cost will also need to be accommodated within any
financial and pricing projections cloud teams propose.

T H E H Y B R ID L IF E

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

CLOUD SECURITY POLICY

In any organization, the board and CEO will ultimately
own any risks new IT projects bring and will be held
responsible for any breaches or compromise scenarios
that arise from decisions. However, security officers
should ensure that the business leaders realize that
they do, in fact, own these risks; all too often, the
perception is that the data custodiansusually IT
teamsare responsible for cloud risks incurred during
new projects. An excellent starting point to remedying
this misconception is to develop a comprehensive cloud
security policy that includes the following:
A

clearly stated executive sponsor: Without an

executive sponsor or group, its unlikely that a cloud
policy will have enough support to be enforced
throughout the organization. The cloud security policy
should also include some statement as to who will sign
off for cloud projects. Is this the CIO?

Data

types and classifications that are allowed in the

cloud and those that arentor what controls or additional measures are needed first.

25 INFORMATION SECURITY

DECEMBER 2016

Compliance

mandates that need to be addressedif

any.
CISOs should ensure that use of cloud computing
services complies with all current laws; IT security
best practices, standards and requirements; and risk
management policies. The same goes for all privacy
laws and regulations. Its important to make sure that
an executive or team explicitly signs off on all use of
cloud computing and that they are properly informed
with documented cloud risk assessment results. Until
this process is accepted within the organization, true
risk ownership wont reside where it should on cloud
projectswith the senior executives and data owners. n

DAVE SHACKLEFORD is the owner and principal consultant of

Voodoo Security LLC; lead faculty at IANS; and a SANS analyst,

senior instructor and course author. He previously worked as CSO
at Configuresoft; CTO at the Center for Internet Security; and as
a security architect, analyst and manager for several Fortune 500
companies. He currently serves on the board of directors at the
SANS Technology Institute and helps lead the Atlanta chapter
of the Cloud Security Alliance.

TechTarget Security Media Group

EDITORIAL DIRECTOR

HOME
EDITORS DESK
HIGH-STAKES ROLE:
SCOTT HOWITT
GLOBAL CISO:
TIM CALLAHAN
REPORT:
CYBERSECURITY
CAREER DATA
THREAT
INTELLIGENCE
OVERLOAD
RANUM Q&A:
ANAHI SANTIAGO
SHACKLEFORD:
OWNERSHIP OF RISK

FEATURES EDITOR
MANAGING EDITOR

Robert Richardson

Phil Agcaoili, Cox Communications

Kathleen Richards

Seth Bromberger, Energy Sector Consortium

Brenda L. Horrigan

SITE EDITOR

Robert Wright

SITE EDITOR

Peter Loshin

DIRECTOR OF ONLINE DESIGN

Mike Chapple, Notre Dame

Brian Engle, Health and Human Services Commission, Texas
Mike Hamilton, MK Hamilton and Associates
Chris Ipsen, State of Nevada
Nick Lewis, Saint Louis University

Linda Koury

MANAGING EDITOR, E-PRODUCTS

COLUMNISTS

EDITORIAL BOARD

Moriah Sargent

Marcus Ranum, Dave Shackleford

Kevin Beaver, Crystal Bedell, Mike Chapple,

Michele Chubirka, Michael Cobb, Scott Crawford, Peter Giannoulis,
Francoise Gilbert, Joseph Granneman, Ernest N. Hayden, David Jacobs,
Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer,
Ben Rothke, Mike Rothman, Karen Scarfone, Joel Snyder, Steven Weil,
Ravila Helen White, Lenny Zeltser

CONTRIBUTING EDITORS

Tony Spinelli, Equifax

Matthew Todd, Financial Engines
MacDonnell Ulsch, PwC U.S.
VICE PRESIDENT/GROUP PUBLISHER

Doug Olender

dolender@techtarget.com
Stay connected! Follow @SearchSecurity today.

2016 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or by any means without written
permission from the publisher. TechTarget reprints are available through The YGS Group.

TechTarget
275 Grove Street,
Newton, MA 02466

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick
access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and
virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community,
you can get advice and share solutions with peers and experts.

www.techtarget.com

COVER IMAGE: SORBETTO/ISTOCK

26 INFORMATION SECURITY

Rich Mogull, Securosis

DECEMBER 2016