Recent Posts

Save the Date for Important Webinar - What You Need to Know About the Cybersecurity Framework

On February 13, the National Institute of Standards and Technology (NIST) will release the much-anticipated cybersecurity framework for critical infrastructure as mandated under President Obama's February 2013 executive order.  This framework (which I've followed extensively over the past year) is coming at a propitious time, with cyber breaches and digital vulnerabilities increasingly dominating the headlines and reshaping government and corporate policies.

The goal of the framework is to offer critical infrastructure providers a road map for managing cybersecurity challenges and to help organizations of all shapes and sizes to elevate cybersecurity risks to the level  that financial, safety, and operational risks currently occupy today.  These things are tall orders and NIST has consulted with thousands of cybersecurity technical and policy specialists through nationwide workshops, briefings and two rounds of public comments to come up with something that works.

Despite NIST's goal of keeping the framework high-level and flexible, it won't be that simple for even skilled cybersecurity practitioners to know what to do with it, when, how or why.  Therefore, my firm has teamed with the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC), the private/public center for knowledge sharing regarding industrial control system (ICS) cybersecurity, to host a webinar on what you need to know now about the cybersecurity framework.

Scheduled for February 20 starting at 1 pm EST, this event will feature the top government and industry experts to explain it all.  Representatives from the relevant government agencies will walk through the framework and offer insight into how agencies and the administration view the importance and impact of adopting and following the framework.  Top experts from the electricity, petroleum, technology supply, water utility and other sectors will discuss the impact of the framework on their cybersecurity practices and procedures.

Best of all, it's FREE.  (If you're interested in sponsoring this webinar to gain greater exposure to the top cybersecurity specialists who will attend that event, drop me an email.)  Sign up today and put it on your calendar.  Stay tuned as we publish the full list of speakers.

White House Cybersecurity Official: We Need A Public Health Model for Cybersecurity

(Baltimore, MD)  Amid growing cybersecurity threats which are becoming increasingly difficult to detect and more dangerous at the same time, the U.S. should develop a public health model for cybersecurity, a White House official said today.  Speaking at the 2014 Cybersecurity Innovation Forum here, Michael Daniel, Cybersecurity Coordinator at the White House, said that the existing cybersecurity thought models, which cast cyber threats in military terms such as "attack" or "war," are useful but that it's time to "think of the cybersystem as an immune system."

To achieve better cyber health, several steps are necessary.  The basic steps are:  widespread adoption of best standards and practices, expanded information sharing and the sharing of actionable information.  The need for better cyber health practices becomes more urgent each day because “now we are going [into] a world where the coffee maker, your refrigerator and car are threat vectors,” he said.

“A single [poorly crafted] exploit can yield immense value for its creator.  For years you can keep deploying that same crappy attack.  To better defend our networks we need to decrease the value of these exploits by better cyber public health.”

The importance of effectively communicating good cybersecurity practices is key to maintaining that thought model. “We as a community could do better ways of preparing information in a way that the community can use it,” Donna Dodson, Division Chief of the Computer Security Division at the National Institute of Standards and Technology (NIST), said.  “One of the big points of  [President Obama’s February 2013 executive order] was the need to have a conversation between the bits and bytes and the CEOs. We have to think about how to give people good information and how they can digest it.”

In terms of adapting to innovation, securing the increasing number of mobile devices requires rapid action. “The biggest challenge is for us to move from devices today to mobile devices,” Curt Dukes, Deputy Director, Information Assurance of the National Security Agency (NSA) said.

That cybersecurity has risen to a level of national policy importance in less than a decade is a testament to how important maintaining digital security is to national welfare. “I didn't ever expect the President to say [the word] cybersecurity” in a State of the Union address as he did last night and during last year’s address, Bobbie Stempfley, Deputy Assistant Secretary, Office of Cybersecurity and Communications at the Department of Homeland Security said.

Target, Neiman Marcus Warned Investors of Possible Cyber Breaches....Sort Of

As the corporate and personal losses mount from the recent point-of-sale cyber hacks at Neiman Marcus and Target stores, with the FBI notifying retailers of at least 20 other cases of comparable cyber crimes in the past year, it might be useful to look in the rear view mirror to gauge whether Target, Nieman Marcus or any other merchant understood just how vulnerable they are to cyber theft losses.  Target alone may be subject  to nearly $2 billion in liabilities, only about $100 million of which will likely be covered by insurance.

Moreover, not only has the company's stock plummeted, but Target may also have to postpone indefinitely planned stock buybacks.  So it's safe to say that Target's cyber breach, at least, is a "material" incident from an investor's standpoint.

As it so happens, the Securities and Exchange Commission (SEC) issued in 2011 disclosure guidance regarding cybersecurity risks and incidents under which publicly traded companies (both Target and Neiman Marcus are both publicly traded) may be obliged under risk reporting requirements to disclose cybersecurity risks and incidents.  This guidance is not, technically speaking, a strict requirement but the SEC does say that "material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures [emphasis added]."

To date, few companies (and really none that can be found searching the Edgar database) have reported cyber attacks or breaches that have had material impacts on corporate operations or finances.   But virtually every relevant company -- but significantly not all, although that's a story for another day -- includes some kind of discussion in their 10-K or 10-Q SEC financial reports which state that a cyber attack could have a material impact on their operations or finances.

Target and Neiman Marcus fall into this category.  Here is Target's statement in its most recent 10-K:
If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.
The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business. 
A significant disruption in our computer systems could adversely affect our operations. 
We rely extensively on our computer systems to manage inventory, process guest transactions, service REDcard accounts and summarize and analyze results. Our systems are subject to damage or interruption from power outages, telecommunications failures, computer viruses and malicious attacks, security breaches and catastrophic events. If our systems are damaged or fail to function properly, we may incur substantial costs to repair or replace them, experience loss of critical data and interruptions or delays in our ability to manage inventories or process guest transactions, and encounter a loss of guest confidence which could adversely affect our results of operations.
And here is the comparable guidance from Neiman Marcus' most recent 10-K:
Material disruption in our information systems could adversely affect our business or results of operations.

We rely on our information systems to process transactions, summarize our operating results and manage our business. Our information systems are subject to damage or interruption from power outages, computer and telecommunications failures, computer viruses, cyber-attack or other security breaches and catastrophic events such as fires, floods, earthquakes, tornadoes, hurricanes and acts of war or terrorism.

To keep pace with changing technology, we must continuously implement new information technology systems as well as enhance our existing systems. The successful execution of some of our growth strategies is dependent on the design and implementation of new systems and technologies and/or the enhancement of existing systems, in particular the expansion of our omni-channel and online capabilities.

The reliability and capacity of our information systems is critical to our operations and the implementation of our growth initiatives. Any disruptions affecting our information systems, or delays or difficulties in implementing or integrating new systems, could have an adverse effect on our business, in particular our Online operation, and results of operations.

A breach in information privacy could negatively impact our operations.

The protection of our customer, employee and company data is critically important to us. We utilize customer data captured through both our proprietary credit card programs and our online activities. Our customers have a high expectation that we will adequately safeguard and protect their personal information. A significant breach of customer, employee or company data could damage our reputation and relationships with our customers and result in lost revenues, fines and lawsuits.

We outsource certain business processes to third party vendors, which subjects us to risks, including disruptions in business and increased costs.

We outsource some technology-related business processes to third parties. 
These include credit card authorization and processing, insurance claims processing, payroll processing, record keeping for retirement and benefit plans and certain information technology functions. In addition, we review outsourcing alternatives on a regular basis and may decide to outsource additional business processes in the future. Further, we depend on third party vendors for delivery of our products from manufacturers and to our customers. We try to ensure that all providers of outsourced services are observing proper internal control practices, such as redundant processing facilities; however, there are no guarantees that failures will not occur. Failure of third parties to provide adequate services could have an adverse effect on our results of operations or ability to accomplish our financial and management reporting.
Although these descriptions seem adequate in terms of laying out the risks, SEC staff have flagged similar statements by other publicly traded companies, requesting the companies modify their statements to provide more detail about whether cyber incidents have occurred and what those incidents entailed.

For example, Walmart was pressed by SEC staff to strengthen their cybersecurity risk language.  In June 22, 2012 correspondence with the SEC, Walmart agreed to modify its cybersecurity language, stating:
Each year, computer hackers make numerous attempts to breach the Company's information systems. None of the attempts by computer hackers have resulted in any unauthorized person gaining access to the personal information of the Company's customers, associates or vendors stored on the Company's information systems. In light of these facts, the Company does not believe that such attempts to access that information have previously constituted, or currently constitute, a material risk to the Company's operations, its results of operations or financial condition, or its reputation. Consistent with the Staff's guidance in CF Disclosure Guidance: Topic 2 (the “Cybersecurity Guidance”) that registrants should provide disclosure tailored to their particular circumstances, the Company has not previously disclosed its historical experience with cyberattacks in the risk factor on which the Staff has commented (the “Subject Risk Factor”). 
The Company believes the inclusion of the Subject Risk Factor in the Company's Annual Report on Form 10-K is not currently required by Item 503 of the Commission's Regulation S-K or the Cybersecurity Guidance. Nevertheless, in light of recent disclosure trends, the Company included the Subject Risk Factor in its Annual Report on Form 10-K for the year ended January 31, 2012 (the “FY 2012 10-K”) to alert investors that it is possible for the security of the personal information that the Company holds to be breached and to inform investors of the potential consequences of such a breach for the Company. The Company employed the phrase “may be vulnerable” in the Subject Risk Factor to indicate specifically that it is possible that such a breach might occur, not that such a breach had previously occurred or was probable. 
In response to the Staff's request that, in the future, certain information be included in the Subject Risk Factor to give context to existing disclosure, and in order to state more plainly the point of the phrase “may be vulnerable,” in the future the Company will modify its risk factor disclosure relating to the risk discussed in the Subject Risk Factor to read substantially as follows: 
Any failure to maintain the security of the information relating to our customers, associates and vendors that we hold, whether as a result of cybersecurity attacks or otherwise, could damage our reputation with customers, associates and vendors, could cause us to incur substantial additional costs and to become subject to litigation, and could adversely affect our operating results. 
As do most retailers, we receive certain personal information about our customers, and we also receive personal information concerning our associates and vendors. In addition, our online operations at, and other websites depend upon the secure transmission of confidential information over public networks, including information permitting cashless payments. Each year, computer hackers make numerous attempts to access the information stored in our information systems. We maintain substantial security measures to protect, and to prevent unauthorized access to, such information.  
As a result of those measures, the past attempts by computer hackers to gain access to the information stored on our information systems have been unsuccessful. Nevertheless, it is possible that computer hackers and others (through cyberattacks, which are rapidly evolving and becoming increasingly sophisticated, or by other means) might compromise our security measures in the future and obtain the personal information of customers, associates and vendors that we hold. Such an occurrence could adversely affect our reputation with our customers, associates, and vendors, as well as our operations, results of operations, financial condition and liquidity, and could result in litigation against us or the imposition of penalties. Moreover, a security breach could require that we expend significant additional resources to upgrade further the security measures that we employ to guard such important personal information against cyberattacks and other attempts to access such information and could result in a disruption of our operations, particularly our online sales operations.
As another example, Netflix, when pressed by SEC staff, modified its cybersecurity risk warning to offer more detail about what kinds of cyber threats it had experienced.  In correspondence with the SEC, Netflix said:
[This paragraph is a quote of what the SEC said to Netflix in an earlier letter, reproduced by Netflix in its correspondence] We note that you derive a significant percentage of revenues from online subscriptions and rely on third-party encryption authentication technology to secure billing data, such as credit card numbers. We also note that you disclose that your services and those of third-parties that you use in your operations are vulnerable to computer viruses, physical or electronic break-ins and similar disruptions which could lead to theft of data. Although you disclose that your website periodically experiences directed attacks intended to cause a disruption in service, you do not provide disclosure about whether you experience the other types of cyber threats that you describe in this filing. Please tell us whether you have experienced attempts to disrupt your internal systems, including unauthorized access to data or theft of data in the past and, if so, whether disclosure of that fact would provide the proper context for your risk factor disclosures. Please refer to the Division of Corporation Finance's Disclosure Guidance Topic No. 2 at for additional information.

We respectfully advise the Staff that the risk factor describing “directed attacks intended to cause disruption of service” encompasses interruptions and delays in our service as well as loss, misuse or theft of data. To date these directed attacks have not been of a significant nature. In our 10-K filing for the year ended December 31, 2012, the Company will augment the risk factor by revising as follows: 
“Our servers and those of third parties we use in our operations (i) are vulnerable to computer viruses, physical or electronic break ins and similar disruptions and (ii) periodically experience directed attacks intended to lead to interruptions and delays in our service and operations as well as loss, misuse or theft of data. Any attempt by hackers to disrupt our service or otherwise access our systems, if successful, could harm our business, be expensive to remedy and damage our reputation. The Company has implemented certain systems and processes to thwart hackers and to date hackers have not had a material impact on our service or systems however, this is no assurance that hackers may not be successful in the future. Our insurance does not cover expenses related to such disruptions or unauthorized access. Efforts to prevent hackers from disrupting our service or otherwise accessing our systems are expensive to implement and may limit the functionality of or otherwise negatively impact our service offering and systems. Any significant disruption to our service or access to our systems could result in a loss of subscribers and adversely affect our business and results of operation.”
A few companies (such as Comcast), have pushed back against SEC staff recommendations and argued against any modification or elaboration of the cybersecurity risk language used in their financial reports.

SEC staff are extremely tight-lipped about discussing cybersecurity guidance, refusing to explain why they flag some corporate filings and not others and whether what is merely guidance today will likely become requirements tomorrow.  SEC attorneys and public affairs specialists merely point to the publicly available correspondence on this matter when asked for elaboration.

Some private sector securities attorneys say that the SEC has been quietly itching to step up the pressure to make more detailed cybersecurity disclosures bona fide risk reporting requirements or, barring that, seem interested in engaging in legal battle with companies the regulatory agency believes are not reporting their cyber risks in good faith.  Either way, the Target and Neiman Marcus breaches could lead to more public reporting on the cyber risks that corporations increasingly face.

(Photo Credit:  Lotus Head from Johannesburg, Gauteng, South Africa under Creative Commons License).

Twelve Must-Visit Cybersecurity News Websites

Today I took a long overdue look at a Flipboard magazine I set up on cybersecurity some months ago.  For those of you not familiar with Flipboard, it's a content aggregation and publishing service that allows anyone to create their own magazine devoted to any desired topic.  The result is a beautiful publication, replete with images, that you can literally flip through on a tablet or smartphone (see my magazine at and subscribe to it while you're there).  A less snazzy computer-based version of Flipboard is now available - instead of swiping you flip through the magazine using the scroll wheel on your mouse.

What I realized is that the content I "publish" in my cybersecurity magazine comes mostly from what most people consider to be the mainstream media.  That is a testament to just how big a hot-button issue cybersecurity has become.  Obviously The Guardian, New York Times, Washington Post, Forbes, The Atlantic and other top publications are increasingly devoting their assets to a topic that has turned into a coveted competitive news beat, with young, ambitious tech-savvy reporters cropping up all over the place to land a hacking, surveillance or national security scoop that in some way or another falls into the digital security realm.

Just below this level of big-name publications, however, are dozens of news, analysis or specialist websites that are mandatory reading for anybody who needs to know what's going on in cybersecurity.  But which ones are the best for staying abreast of the latest developments if you're pressed for time?  

The following is my list of twelve must-visit cybersecurity websites that you should bookmark or check out when time permits.  A few of them are not, technically speaking, "news" sites (such as Schneier on Security) but made the list because of the insight and expertise of their contributors.  And the frequency of publication varies from site to site - some feature only a few posts per week and some, such as the group of publications under the Information Security Media Group, feature multiple posts per day, often across multiple publications simultaneously.

Most people I talk to these days are overwhelmed with information on the subject of cybersecurity.  If this list helps, you're welcome.  But if you have nominations for better websites (not including blogs - I'm compiling a list of the best cybersecurity blogs and it is a surprising collection), let me know.

Cybersecurity Venture Funding Easily Tops Half Billion Dollars

On Monday, "stealth" mobile security start-up Bluebox became the latest in a string of ventures to announce major funding by blue-chip investors, snagging $18 million in a series B funding round that included powerhouses Andreessen Horowitz and Sun Microsystems.  That venture capitalists are pouring money into cybersecurity is no secret; but what's interesting is just how much money is flowing into these complex ventures.

I've assembled in the table below (the scroll bar on the right is helpful for viewing) some of the more prominent venture investments in cybersecurity start-ups since early 2012.  Altogether the companies in this table have raised over $500 million in venture funding and these investments are probably only a portion of venture capital money available to cybersecurity entrepreneurs.

On the heels of the Snowden revelations and the lawsuits flying in the wake of the Target breaches, investors have to be salivating at the prospects of getting in on the ground floor of what no doubt is, and will become, a hugely lucrative market with plenty of room for more entrants.

Twitter Delicious Facebook Digg Stumbleupon Favorites More