Recently in Old commissions Category

Can you help with the following article? This article will be appearing in SC Magazine. SC features on specific technologies and trends are designed to inform IT security professionals about the state of the art in that area.

Virtualisation is being touted as the next wave in corporate computing but its advantages bring new challenges and headaches for the information security professional. You can't move these days in IT circles for people touting the advantages of VMWare and other virtualised systems - and advantages there are many, but those bring with them security pressures and risks.

Questions to consider

• What are the advantages of virtualisation?
• Is it any different from network computing?
• What are those security risks?
• How do these risks differ from those on non-virtual systems?
• Is there anything that should not, absolutely, be virtualised?
• Could a virtualised system actually offer more robust security than a non virtual system? How?
• Who are the leaders in secure virtual systems and what technologies do they use?

I'd like to speak to analysts, consultants, select vendors and the technical community for this piece.

I'm also looking for stats on how fast are UK businesses moving to virtualisation and what the reasons are.

Lastly, some companies like IBM are actively using virtual worlds like Second Life for serious business purposes like holding global sales meetings and to build communities for partners and customers. But how safe is this? Surely it's asking for trouble expecting virtual communities to be safe where you cannot be sure that anyone is who they say they are? I'd like to know if any other businesses are following IBM's lead, why they are doing it and what security steps they're putting in place.

I'd like to arrange interviews for this week and the week of the 7th - please note, I'm on holiday the week of the 31st so won't be able to answer questions, emails, etc during that week. My _absolute_ deadline for this piece is the 18th September.

HOW TO REPLY: send an email to pr@robbuckley.co.uk or leave a comment below

IT security professionals charged with securing the information architecture of an e-commerce-driven business face special and daunting challenges. They must fight phishing attempts, identity theft, reputation management and DDoS attacks, and at the same time, the risk of media exposure of the business if they get it wrong.

What is the latest thinking in protecting an e-business from cyber attack? This feature will go behind the headlines to look at the reality of attacks and outline what IT security professionals should do to mitigate threats and deal with attacks if and when they happen.

So I'd like to speak to consultants and analysts as well as IT security professionals, including at least one for a case study, preferably about someone who has successfully defended against non-trivial attacks (DDos, hackers attempting to penetrate networks, bad employees trying to hack from within, etc), to discuss the latest security thinking.

Interview probably to mostly be conducted between 16-24th July. My final, final deadline (before anyone asks) is the 28th July.

Can you help with the following article? This article will be appearing in SC Magazine. SC features on specific technologies and trends are designed to inform IT security professionals about the state of the art in that area.

Deadline for leads is 7th November 2008. Email me or leave a comment below.

Extending the ROI on information security expenditure

How Information Security Professionals (ISP) can ensure that their investment in technology, people and consultants actually pays off. What are the best ways to ensure they get value for money, please the CEO and CFO and improve security - all at the same time?

The conundrum of being an effective information security professional is that if you do a good job then there aren't any tangible results -- you can only point to reduced or zero breaches. If the baord sees that the company seems to be insulated from attack it may be hard to get agreement for increased spend or bigger teams.

The problem is that the board doesn't see what you see. They don't know that you and your team are working 14 hours a day just to keep up with the waves of attacks and patching old systems.

So how does the CISO?

- Devise a budget

- Model the likely level of attack for the next four quarters (risk assessment)

- Audit current system architectures

- Work out how much to spend

- Get the best value and deals from vendors and consultants and resellers

- Prove to the board that without the investment and spend required the company would suffer monetary loss

- prove what the ROI would be on security spend

What skills does a CISO need to do all this? Are there any software tools available that can help? Can consultants help?

Should information security actually be exempt from proving ROI as it is necessary in the same way as physical security like alarms, fire exits, CCTV etc which most of the time are redundant to the functioning of the company's core business.

Box 1 recessionary times
This feature has become all the more topical given the current financial crisis and the impending recession but there are two schools of thought at the moment. One is that security spend will hold up as it's the one area that business cannot afford to skimp on because attacks may increase. Others however think that it is unlikely and that spending will be squeezed on security and at the very least legacy systems will be patched and made to last and 2009 budgets will remain static at best - cut at worst. What is the truth about all this? Who is right?

Box 2 CASE STUDY
An interview with a CISO or CSO from a well known business about how they configured their budget, got buy-in from the board and possibly devised a system to prove ROI on their architecture, policies and staff.

This feature is designed to help information security professionals educate company employees about the importance of security awareness and employee responsibility.

This article will be a practical guide to penetration testing for companies that need to check their company's security is as good as they hope it is

This article will concentrate on the technologies, systems and processes that businesses are deploying to ensure they meet compliance standards. What kind of strategies are they putting in place? Can compliance be achieved without any extra investment in kit?

All television commissions need to be '360º', these days, with web sites, mobile content, et al, considered from the outset. But is there a genuine market for this content? And is there the necessary budget to create it?

Like videos before them, DVDs have come out weeks, months or years after the film or TV show has aired. With more and more people waiting until DVDs are released before watching an entire series, is it time for the whole idea of 'windowing' to be done away with?

What are the best ways for IT managers to combat image spam themselves, how outsourcers are fighting it and whether it's now managing to evade the previous (and possibly current and next) generations of anti-spam devices and software (eg Bayesian, rules-based, etc). Does it require new technology or can the old technology adapt?

In the US, iTunes is in the king of Internet television content, with simple one-click purchasing of content that viewers can own and play forever. Various free Flash-based services from the major networks, such as InnerTube from CBS, allow viewers to play catch-up for free with shows they've missed or that have been cancelled (such as ABC's Daybreak). Networks are already talking about showing the fall's new programming online first to create good word of mouth. With ABC having sold out all its ad space on ABC.com, is making money on the Internet with television finally possible?