Overview
Because of our ability to communicate complicated concepts in straightforward terms, we have been invited to write for a number of security and business publications. This section includes a selection of our published articles.
Security through Procurement
By Jane Frankland, May 24, 2008
Consider the fact: if it costs the same to install or develop a system (badly), as it does to install or develop it securely; why would you leave the choice to your supplier? The answer is you wouldn’t. Yet so many businesses actually do just that - they design and deploy systems without considering the security aspects from the outset leaving their businesses wide open to attack and unnecessary spiralling costs. This article explores a couple of simple actions that can be taken in order to ensure that this doesn’t happen.
Hacker: The unspoken, dirty little secret
By Jane Frankland, June 1, 2004
I rarely make a bet, but if you asked me whether I'd wager some money on the likelihood of an organisation employing a hacker to assess their security risk, I'd almost certainly accept on the basis that they would not. Hiring a hacker to assess the security risk of an organisation is something that fewer than 64% of ISO's are willing to consider. That's hardly surprising when the risks are analysed alongside the statistics; viruses & hackers cost businesses worldwide somewhere in the region of $US1.5 trillion. That said, organisations that are unwilling to hire a hacker face one increasing problem; hiring a hacker is not always a conscious decision.
Secure Development: a polarised response
By Jane Frankland, May 13, 2004
Thankfully these days' assessing the security of an application prior to implementation is a normal process for most organisations. Organisations accept the view that the earlier in the implementation cycle that security issues are identified, the greater the return on investment (ROI). However with such a mature attitude to implementation, it is hard to understand why organisations are not applying the same principals to the software development cycle as a whole. In fact currently there are only a limited few that are following best practice recommendations in regard to secure development and reaping the financial rewards that increased development controls bring.
The Benefits of Outsourcing
By Jane Frankland, April 5, 2004
Information Technology departments often demand one of the largest annual budgets in the company, but where does the money go? We all know that IT budgets are spent on everything from resourcing and training to upgrading with latest technologies, but as Shareholders, Directors and Chief Information Officers (CIO's) are we aware how much spending is devoted to securing e-business and critical information?
Automated Penetration Testing: Nothing more than a false sense of security!
By Jane Frankland, August 20, 2003
The security industry has matured quickly over the past few years with penetration testing becoming one of the norms for organisations adopting best-practice processes. Loosely defined as the process of actively assessing an organisations security measures and completely reliant on consultancy services, security manufacturers have been eager to bridge the gap between product and service and more importantly to reap the benefits of additional profits.
Evaluating the Return on Security Investment (ROSI): Where's the problem?
By Jane Frankland, July 7, 2003
I've read so many articles that have tried to advise the industry on ways to analyse an organisations return on security investment (ROSI), with the majority championing the difficulties associated with it and sadly concluding that in fact there is no effective way. Many believe that demonstrating a ROSI in the enterprise is nigh impossible because there are no metrics that measure the ROSI unless a company is attacked or security is outsourced to a managed security provider.
Managing the Security of Data Flow
By Diane Seddon, March 17, 2003
Customer Relationship Management (CRM) systems are cited as one of the major technology successes of the last decade. These 'super databases' enable the real-time sharing of information across global organisations, increasing the visibility of the sales pipeline and providing a central control of the customer experience.
Which Security Assessment Provider?
By Glyn Geoghegan, January 15, 2003
Having identified a requirement for Security Assessment, be it an external penetration testing, security assessment or policy audit, it is vital to find an appropriate security services partner. Whether the Security Assessment is driven by an audit requirement, due-diligence or a compelling event, it is highly likely that there will be a requirement for a third party to conduct the work.
10 Key Points for Directors Regarding IT Security
By Glyn Geoghegan, September 9th, 2002
The first section examines the actual and implied responsibilities Directors face when considering their IT security strategy and breaches thereof. The second section deals with the most common objections.
Application Hacking - the missing piece of the penetration testing jigsaw
By Diane Seddon, August 25, 2002
IT security breaches are now a regular headline feature in the UK with a broad cross-section of organisations from brand-leaders through to public sector departments often failing to deliver secure and trusted systems. The reputational damage resulting from such incidents hits hard with loss of confidence from customers, business partners and shareholders alike.
Security Policy: Underpinning information security
By Diane Seddon, August 14, 2002
The DTI Information Security Breaches Survey 2002 highlighted security policy as the most basic and fundamental discipline in information security. Despite this fact, the study found that only 27% of the UK businesses it surveyed had a documented security policy in place, rising to 59% for larger companies. Although this figure has doubled since the previous survey undertaken in 2000, the number still remains low.
Penetration Testing: Thinking outside the (black)box
By Diane Seddon, August 7, 2002
Perimeter security technology such as firewalls, content filtering and anti-virus protection is paramount to a business's defence against attack but can by no means be assumed to be impenetrable. With an increasing number of companies providing remote network access to employees and even limited access to clients and trusted partners, it is imperative that businesses minimise risk by thoroughly testing their network security.
e-business: Security Threat Management
By Byrne Ghavalas, May 19, 2002
The advent of the Internet and surrounding technology has opened up many opportunities for businesses that are willing to take risks and embrace the e-revolution. This revolution has changed the way we do business and companies around the world are being forced to find new and innovative ways of conducting their business online.
1024-bit RSA Keys in Danger of Compromise
By Martin O'Neal, April 23, 2002
In recent weeks there have been concerned discussions in regard to the key sizes employed by the RSA public key algorithm (which is used in a variety of situations, including maybe most notably to secure the key exchange used for SSL web site access).
Are you on top of it?
By Christophe Coindy, April 10, 2002
With so much information and so many services available at the tips of your fingers, how do you cope with information security management? Every day organisations worldwide face the threat of unscheduled downtime and negative publicity due to successful hacking attacks. Those responsible for the security of the systems are forced to react to new threats and must take appropriate action, sometimes within minutes, if they are to avoid becoming just another statistic.
Convergence of Physical and Cyber Security
By Byrne Ghavalas, March 15, 2002
Physical Security and Information Security form a natural synergistic and symbiotic relationship. This relationship has long been acknowledged by the IT security industry, and has been recognised in the BS7799 / ISO17799 security standards. These standards were formed to assist companies in their implementation of industry best practice in information security, by providing a single point of reference, detailing the wide range of controls required to do so.
Security by Sticky Tape!
By Byrne Ghavalas, February 13, 2002
New threats to corporate security are revealed every day; these threats come in a variety of forms and flavours, some crippling, others merely bothersome. It is interesting to note that many systems are breached through the use of old techniques and vulnerabilities and, all too often a company's security is breached through the most trivial means: default passwords, misconfigured software, insecure services, poor security policies and a lack of security procedures, to name a few.
