Earlier this week James McGovern told us about Ten Mistakes that CIOs consistently make that weaken enterprise security and really these all apply to CSOs as well. This list was so awesome that Chris Hoff followed later in the week heavily citing McGovern and then added on his own list. I highly encourage you to read and absorb both posts. These mistakes are mostly a result of either lazy or stale thinking so the real message here is that as an executive (in security or anywhere else), it is imperative to constantly reevaluate your position and move on when necessary. In other words, the take away here is that mental flexibility is key.

David Mortman is the CSO-in-Residence for Echelon One, LLC, where he is responsible for managing their research and analysis program. Previously, he was the CISO for Siebel Systems. David speaks regularly at RSA, Blackhat and Defcon amongst others and publishes the occasional op-ed in Information Security magazine.

I was recently chatting with some other members of the security catalysts forums (www.securitycatalyst.org/forums) and someone asked: “How do I convince management that Security needs to be involved in e-discovery?”. This is a great question and the answer to it highlights a skill that security managers need to learn. The successful security executive is good at sales and one of the first rules of sales is to make sure that you are selling to the right people. In this case, what my friend needs to be doing is convincing legal that he’s there to help them. In general, when it comes to issues like compliance and e-discovery, legal departments love it when someone who is technically competent is there and willing to help. This way it’s Legal going to the C-suite and requesting his help rather than Security looking like it’s trying to invade someone else’s turf. The general idea is that when trying to get Security involved in projects, you need to identify the key stakeholders and engage them directly and then the upper management issues will be much easier to solve when you have have a united front of engaged users.

David Mortman is the CSO-in-Residence for Echelon One, LLC, where he is responsible for managing their research and analysis program. Previously, he was the CISO for Siebel Systems. David speaks regularly at RSA, Blackhat and Defcon amongst others and publishes the occasional op-ed in Information Security magazine.

Based on what’s reported in this Washington Post article, the U.S. Customs and Border Protection (CBP) agency thinks so.   Seems like there are cases of people being searched and forced to not only surrender their laptops and other electronic devices, but to provide passwords and instructions for accessing their systems as well, allowing the officials to create exact copies of all information in the device including documents, browsing history, calendars, email…..everything.

While this has obvious privacy concerns (the Electronic Frontier Foundation and Asian Law Caucus have filed suit to force the disclosure of CBP policies in this situation, including which rules govern the seizing and copying of the contents of electronic devices), it also has serious ramifications for us as security professionals.  What controls will we need to implement and enforce if this practice is found to be acceptable and becomes more common?

 - Andy Brinkhorst

Look very closely, I think that is Bruce Schneier as one of the contestants.  You gotta have fun in our industry…

And they allow flames! Knock yourself out, I want to avoid secondary screening.

By Jim Reavis

What’s going on, are they making anchors heavier than they used to? We have now had three cut cables in two separate incidents, disrupting Internet service between India, parts of the Middle East and the rest of the world. The suspected culprits are a couple of wayward ships’ anchors, although that working theory is still waiting confirmation.

I will go along with the accidental theory for the moment, this sort of mishap has happened before, and it would be quite an operation to do this on purpose, even though I find the theory of militant dolphins more fun.  These long haul connections are fewer and farther between than the routes between, say San Francisco and San Jose, so we are potentially faced with a week or two of India running at 50% of normal bandwidth.

Hopefully this incident will spur some efforts to build some more infrastructure redundancy, even if this turns out to be nothing more than an act of God, or an act of Sinbad.  The past few years I have commented that even though the bad guys own more of the Internet than ever before, at least they have the same shared interest in keeping core infrastructure running as the network operators have.  However, I am wondering how long this will last.  The amazing growth in the sophistication of the cybercrime marketplace combined with the Machiavellian instincts of criminal organizations facing too few consequences makes me wonder if massive disruption of the Internet won’t soon be seen as a business opportunity by someone.  After all, there are people who make money when the stock market goes up, and there are people who make money when the stock market goes down.

Who benefits from a weakened India, besides vengeful sea mammals?