Stories by By Mathias Thurman

A checklist for SaaS vendors

Our manager’s company uses a lot of third-party vendors, and some of these relationships have been in place for years. What will happen when he goes back to assess their security risks?

Written by By Mathias Thurman02 Feb. 16 23:47

Compliance does not equal security

The effort to meet Level 1 PCI compliance reveals a new security mantra to our manager.

Written by By Mathias Thurman12 Jan. 16 16:31

To get new initiatives done, money talks

A couple of worthwhile security initiatives will languish if staffers have no incentive to work on them. Solution? Tie them to bonus pay.

Written by By Mathias Thurman29 Oct. 15 18:17

The perils of single sign-on

SSO will bring several benefits, but our manager has to be prepared to address any security lapses that could accompany it.

Written by By Mathias Thurman05 Oct. 15 20:35

Of Black Hat and security awareness

The annual security conference was a chance to go deep. But back in the office, how do you get 100% of the company’s employees to complete the security awareness training?

Written by By Mathias Thurman02 Sept. 15 18:13

Selling IT on getting the most out of a new firewall

We bought a next-generation firewall, as I had hoped we would. The real trick, though, was getting the IT department to take full advantage of all of its advanced functionality.

Written by By Mathias Thurman18 Aug. 15 02:33

Spotting vulnerabilities takes many eyes

Vulnerabilities can take many forms, and you can't expect to uncover them all unless you have a diverse portfolio of tools to help you in the hunt.

Written by By Mathias Thurman03 July 15 04:47

A laser focus on PCI compliance

For the past few weeks, I've been knee-deep in PCI compliance. <a href="">I have previously mentioned</a> that although my company's current credit card transaction volume doesn't require a full PCI audit, we have made a business decision to get the full PCI Report on Compliance, which entails hiring a qualified security assessor (QSA), submitting evidence, conducting a variety of qualified penetration tests and assessment scans and ultimately having an auditor spend about a week on site reviewing evidence and conducting in-depth testing of the 400-plus controls.

Written by By Mathias Thurman24 June 15 03:07

Taking our breach response plan for a test-drive

One thing that we security managers can be sure of is this: There is no guarantee that our company will not suffer a security breach. In fact, the odds are increasing all the time, helped along by the proliferation of mobile devices, companies' heavy use of software as a service and the <a href="">consumerization of IT</a>. And let's face it: Creating a culture that fosters innovation and attracts talent exacts a cost in defensibility.

Written by By Mathias Thurman12 May 15 07:08

With greater visibility comes increased response

I mentioned in a previous article that we are using <a href="">a "loaner" Palo Alto Networks firewall</a>, with all the bells and whistles. Our testing led to all sorts of interesting discoveries, and I certainly hope that the executive staff will agree that the increased visibility makes this sort of new-generation firewall well worth the investment.

Written by By Mathias Thurman09 April 15 23:51

Making the case for security

Having been at my new company for several months now, this week I was invited to inform executive management about the state of our security. I had half an hour to formally introduce myself and talk about my philosophy, my initial findings and the priorities I think we need to have.

Written by By Mathias Thurman11 March 15 03:46

Awareness on the cheap

You don't have to spend a lot of money on some information security initiatives. Take <a href="">security awareness</a>, for example. You can get huge returns with small investments.

Written by By Mathias Thurman13 Feb. 15 01:13