5 tips to make the most of your infosec risk assessment

Let’s face it. Information security risk assessments are boring.  The only reason most organisations endure risk assessment is to (a) comply to a regulatory requirement or (b) to get certified on a standard that requires you to have a risk assessment. But, it does not have to be this way. Risk assessments can be very Read more about 5 tips to make the most of your infosec risk assessment[…]

The Symantec Threat Report 2018 – and 4 takeaways for the Infosec Professional

The Symantec Threat Report for 2018 is out. It can be downloaded from Symantec’s site here. If you do not have the time to read the entire 89 page report, here is a brief summary and 3 key takeaways for you as an infosec professional to apply to your organisation.

Before you read the report, there are a few things that you must know. This is not a general data breach report. If you want statistics about how much data was lost and who was responsible, this is not the report for you. This report focuses only on the threats that Symantec observed on the Internet in the year 2017. It does a good job with that. If you want a more generic understanding of the state of cyber threats and vulnerabilities in general, you should look at other reports in conjunction with this one.

I have divided this into three sections for easy reading.


The ethics of bitcoins and other cryptocurrencies

Is a bitcoin investor unknowingly supporting illegal drug trade and child pornography? Do the drawbacks of using cryptocurrency exceed the advantages to society at large?

This is a topic that no one talks about. The ethics of cryptocurrency. To even begin to think about the ethics of cryptocurrency, we will need to know a little more about cryptocurrency and money in general.


5 ways to kill your cybersecurity messenger

Cybersecurity professionals, by the nature of their job, are bearers of bad news. They routinely bring ‘possible risk scenarios’ to the table. They ask for resources to mitigate the possibility(sometimes remote) of something bad happening.

This is not a very pleasant thing to hear. Boards treat such individuals with disdain. They treat such people just like anyone would treat a doctor who, on a routine checkup, says - “Nothing is wrong with you yet, but if you don’t start exercising, something will go wrong”.

The messenger, therefore, is routinely killed. If you are a board member who is bored of the antics of these cybersecurity professionals, or just want some entertainment at the expense of your cybersecurity guy, here are 5 tips to help to kill the messenger.


2017 – The year in Infosec

2017 - The year in Infosec

Should I continue to call it Infosec? Or should I change with the times to call it ‘Cybersecurity’? Whatever the name, 2017 was an interesting year for information security or cybersecurity or whatever you choose to call it. Here are a few things of note that happened:

This is rather long post, so read it when you have the time. A quick set of links to the topics covered:

Data Privacy - A big leap

Cybersecurity - skill gap

Artificial intelligence is here

State Sponsored cyber attacks

The social media giants and their antics

Aadhar and the hullabaloo around it

Large scale data breaches



2016 – The year in infosec

Note: This is a long post about infosec in 2016 and 2017. Read when you have the time.

2016 has been an interesting year. Donald Trump became president elect. The Syrian crisis worsened. Brexit happened.  India demonetised 87% of its currency in one stroke. Cybersecurity and infosec was uttered more frequently in corporate boardrooms - and for good reason too.

How was the year for infosec? Here are a few areas where things happened and will probably continue to happen in 2017.


Cloud Security Policy

8 steps to write a cloud security policy

Everything is moving to the cloud - a cliche we have heard so often that we have started to believe it to be true. To some extent, it is. The infosec professional has been caught on her heels about cloud security. Just when she got round to analysing the risks of virtualisation, the monster of cloud based services crept up behind her. The simplicity and attractive pricing offered by cloud service providers makes the shadow IT sign up for the service before you could say ‘cloud security’.  There are myriad arguments flying around…

“Everyone’s using Evernote! What’s infosec got to do with it?”

“…but it is free for up to 5 users and we are not more than 5 users!”

“This is way cheaper than what my accounts package costs…and I can access it from home.”

These are words that strike terror in the heart of infosec professionals.


Password image

The quest for good passwords

Passwords are easily the most talked about infosec control. Perhaps the simplest concept the explain and surprisingly hard to implement well. Allow a user to keep any password, without restriction, and she will keep her username as the password. Add complexity requirements and she will write it down.

Infosec professionals take every possible measure to get users to keep their passwords confidential. They provide guidelines on creating good complex passwords. They use analogies - ‘  A password is just like a key! Would you share the key to your house?’. They enforce password rules by building them into the systems. Try as you might, it seems that people and passwords seem to have a healthy dislike for each other.