- 25 years experience leading high-performing global product development teams, specializing in network security and security management.
- Experience in embedded software and hardware product development includes 12 years of development leadership at Cisco for products in the web services, Internet telephony, network and content security markets.
- Has led in-house and outsourced teams in India for more than 10 years; created groups and grew teams from 5 to over 50 employees; helped structure products and projects to get maximum benefit of U.S./India development work while minimizing the need for daily calls/meetings for coordination.
- Championed secure development practices at Cisco, focusing teams on processes to help improve the security of products from the initial design through implementation and bug-fix stages.
- Has spent virtually entire career working in multi-site development projects and has led multi-site development projects between the U.S., Europe and India
- All 10 Best Practices
- Pre-Call Discovery Process
- One-on-One Call with Expert
- Session Summary Report
- Post-Session Engagement
- Liability for fraudulent credit card charges is shifting.
- A major change – what is known as "the liability shift" – is coming to the payment card industry in October, 2015. In the past, the issuing bank for credit cards assumed liability for fraud. That is changing to the party in the payments processing chain with the weakest security.
Odds are, the issuing bank is not going to be the one with the weakest security. Nor is it likely to be the payment processor or the company that routes the transactions to the banks. Most likely, the retailer will have the weakest security and therefore will be on the hook for fraud. Therefore, it is incumbent on all parties in the transaction to update their security. For example, for in-person transactions retailers need to install payment terminals that can accept the new chip-based cards.
- Use of "shadow IT" services is growing.
- In addition to the cloud services validated and offered by a company, employees often use other, outside services to accomplish their jobs. It might be something as simple as a file-sharing service that is used to transfer material to a client because a file was too large for email. It may be online storage used by an employee who wants to access files to do legitimate work at home.
The problem, of course, is that these services are outside of your company's control and may not have the security controls that are needed to protect your sensitive data. It is important for companies to get a grasp on these shadow IT services used by their employees and to then build a plan for providing comparable offerings that are officially supported, whether that is through a "business/enterprise" version of the same service or through a similar service that provides the level of security your company requires. In addition, ongoing monitoring will be required to identify new "shadow IT" services.
- Bring-your-own-device computing is breaking down traditional IT walls.
Traditionally, IT departments could build a wall and dig a moat around company data and keep it inside the network. But as society and business get more mobile and find real-time access to data becomes more important, it is increasingly common for a variety of devices – both company-owned and personal – to seek access to important data.
That makes security a much bigger job because the security postures of those outside devices and networks aren't always known. But it may not be practical to limit access to only company assets inside of the company network. Many companies are looking at mobile device management (MDM) solutions to provide controlled access to company data on personal devices. These solutions also give companies a way to "wipe" the company data from the personal device in the event it is lost, stolen or if the employee leaves your company.
- As security improves, humans increasingly are the weak link.
- For all the security that can be brought to bear through hardware and software, humans still are creative in coming up with ways to do their jobs. That creativity sometimes can circumvent security.
For that reason, network and data security can be like traditional, old building security. It's not just the locks that do the job. There also is someone who is walking around checking the locks and windows. In an IT setting, that means monitoring network and data usage and looking for anomalies or problems, even though they may be unintentional on the part of a user.
- Advanced persistent threats are a growing problem.
- IT departments no longer are worried only about someone trying to break down the door. A new worry is malware that makes its way into your network, but which sits dormant or in listening mode for extended periods of time before activating to perform its task. Email or links contained in email remain the most common entry-points for malware. But some of the malware in circulation is very sophisticated. In some cases, malware is customized to target a specific company or industry.
- Anything-as-a-Service (XaaS) is changing IT – moving from expensive capital equipment and software to a monthly pay-as-you-go expense.
- It's getting easier to pay a relatively low monthly fee to get significant data and software services up and running quickly. This has grown from simple file-sharing and data storage in the cloud to software services for customer relationship management and other business systems. Software that once was housed on company-owned servers inside a data center may now live in the cloud and companies can pay for it by the month, growing or shrinking their system as needs change.
- Purchasers of cloud services are vetting security measures more intensely.
- With the XaaS change, companies are saving money on data centers and IT staff, but must not lose sight of the fact that the security of the data and the cloud services themselves is important. Companies are becoming more sophisticated in their understanding of the XaaS market and are starting to perform detailed investigations of the security and operations practices of their cloud providers.
Many are developing detailed questionnaires related to security, software development and operations practices. These questionnaires extend beyond the software provider to the third parties involved in providing the service, such as cloud compute, storage and security providers.