Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!

CISOs Look Past Compliance for New Solutions to Old Problems

SC Congress 2012 Brings Top IT Security Speakers to Chicago

LarryWhiteside
November 27, 2012
Larry Whiteside, CISO, Spectrum Health System

Larry Whiteside, CISO for Spectrum Health Systems, speaks at the 2012 SC Congress in Chicago on how mobile devices in the workplace are changing the landscape of security. Photo by Tom Ford of Ford Photography

The cyber landscape is constantly shifting – new threats arise daily in the form of employees’ devices, malware and denial-of-service attacks, and the nebulous menace of hacktivist societies, such as Anonymous. And while these continue to mount, new CISOs are fighting back within their organizations to reform information security protocols and meet the oncoming risks head-on.

At a November conference in Chicago, the SC Congress 2012 from SC Magazine, I had the opportunity to sit down and meet several leading CISOs, as well as listen in to some thought-provoking keynote sessions on the threats of the day:

Becoming the Office of “Maybe”

According to Ward Spangenberg, CISO of Pearl.com, formerly of online gaming giant Zynga, companies are facing a wide variety of threats and problems, many of which are brought in by employees.

“You can’t be the ‘no’ guy,” says Spangenberg. “Every time you just shut down an employee’s request with a ‘no,’ you’ve destroyed an opportunity to affect good change.”

He says that IT security professionals should tackle these requests from the side, especially when they come from upper management. “Start with ‘maybe,’” he adds – the CISO’s willingness to compromise and explore different or unusual solutions can expand a business’s efficiency while improving employees’ awareness and respect of security.

Building the Best BYOD Policy

And speaking of improving employee relations, the BYOD (or Bring Your Own Device) movement was one of the hot topics of the conference. The panel discussion regarding mobile security brought some strongly conflicting opinions to the fore, most notably – Should security adjust BYOD policies because new talent demands the use of their own devices, or should the new talent adjust their work styles to the existing company policy?

Cost, the speakers said, is not a factor in BYOD, at least not compared to the empowerment of the workforce. Incoming workers are of the “multitasking generation,” and many of them request device policies during job interviews. Several speakers noted throughout the day that if a talented applicant dislikes a company’s stringent BYOD decisions, they could decide to work elsewhere.  

According to Larry Whiteside, CISO at Spectrum Health Systems, companies should test a pilot program to gauge employee interest, while employing encryption tools on all devices, including desktop computers, to help reduce the risks of data loss due to device theft.

The Threat Landscape

“Look at the OSX threats – the top problems haven’t changed in 10 years,” says Spangenberg. “We might have job security, but we’re not fixing the key problems.

“There’s nothing horribly new to implement. It’s all attacks against software, so we have to harden those targets – force you back to the harder access points. We have to block the easy ways in,” he says.

For Whiteside, the key is due diligence: “With users… you can’t unteach stupidity. Sometimes, due diligence is all you can do – you cannot always hold fiscal responsibility.”

In healthcare security, Whiteside is most concerned with addressing access management and data tracking within the facilities he oversees, along with device loss and encryption.

“Organizations have not been doing their best practices,” he says. “But now, the Federal government is doing a better job in holding organizations accountable for their actions, and organizations are taking note and taking action.”

Panel on "Threats of the Hour" at SC Congress 2012
Pictured from left to right: Eric Green, SC Congress Director; Mary Chaney, incident response leader for GE Capital Americas; Kirsten Bay, Bodkin Group principal; and Scott Gerlach, director of information security operations for GoDaddy.com. Photo by Tom Ford of Ford Photography.

Another buzzword was Anonymous, but perhaps it was buzzier than it needed to be, according to Kirsten Bay, principal at The Bodkin Group. She admitted a certain amount of frustration on the budgetary side – management keeps pulling funding toward preventing hacktivist attacks, while the priority should be elsewhere.

If an organization is the target of an Anonymous or hacktivist party threat, Bay recommends that the company get out in front of the issue – finding someone who will evaluate the perceptions of events before anything is released. She stresses prioritization – will an attack shut you down or just embarrass you? Would your attention (and funding) be better served elsewhere?

Solving the Problems

“Compliance should be the floor, not the ceiling, of your efforts,” says Rafael Diaz, CISO of the State of Illinois, at the event. “It’s the fundamental layer for every security program.”

However, other speakers warned against using compliance as the be-all-end-all of an information security program.

“Compliance is a great hammer – if you have a nail,” says Spangenberg. “Don’t use a hammer if you have a screw. … If you have a motorcycle, the law requires that you wear a helmet. Well, you’re only managing risk for your brain. What about the rest of you?”

Spangenberg has a variety of other security recommendations to take IT departments past the “helmet” stage of compliance, including hiring hackers.

Read More: Hire a Hacker – A 2013 Security Imperative

“I’ve mentored ethical hackers for years,” he says. “If we don’t continue to promote that art, it disappears. Hacktivists are exposing that people are dumb – so why not use hackers to make the systems smarter?”

His other recommendations include:

·         Using a FAIR report (Factor Analysis of Information Risk), which can translate the risk into real dollar amounts, making it easier to sell to the C-suite

·         BSIMM reports, which function as security initiative report cards or benchmarking tools

·         Penetration Tests – both in the IT and physical sides of security

·         Code Reviews

·         Scans (“You know they’re being conducted on you – you should at least know what the other side is seeing.”)

According to Ken Rowe, director, enterprise systems assurance, for the University of Illinois-Chicago, 80 to 85 percent of compliance controls are “just good IT principles you should already have.”

“We have to move past the ‘check-the-box’ mentality on compliance,” he says. “We need to talk about concerns, worst-case scenarios, not just in risk management terms. Compliance might start out as a checklist, but it can evolve.”

Ward Spangenberg, CISO, Pearl.com
Ward Spangenberg (far left), CISO at Pearl.com, uses his ethical hacking background to uncover loopholes and entry points in both information and physical security at Pearl.com. Photo by Tom Ford of Ford Photography.

The CISO and the CSO

Both Spangenberg and Whiteside are responsible for aspects of physical security at their organizations as well as information security, and that seems to be a sweeping trend for CISOs in the industry.

While Spangenberg, being the CISO at a small start-up company, is dealing mostly with the basic security issues at Pearl.com’s office building, he is also using his “grey-hat” hacker background to conduct physical penetration tests. He might show up at a building holding a heavy box, struggling to get into his pocket at the door, just waiting for a friendly employee to walk by and let him in. After that, he can test how close he can get to data centers or other valuable locations within a building.

Whiteside, on the other hand, is working alongside physical security personnel to improve reporting protocols between IT and security. In the Spectrum Health System, security officers have arrest power, and they have a list of questions to ask suspects – including ones about how and where they obtained a device. Similarly, if IT infiltrates information about a data leak, officials from that department would ask physical security questions, such as how that suspect obtained access to the area.

As these lines of communication being to open between IT and security, many of the speakers expect great strides forward in the cyber aspects of physical security, as well as the attention paid to cyber security throughout entire organizations. 

KEYWORDS: Bring Your Own Device (BYOD) CISO cyber security healthcare security SC Congress

Share This Story

Blog Topics

Security Blog

On the Track of OSAC

Blog Roll

Security Industry Association

Security Magazine's Daily News

SIA FREE Email News

SDM Blog

Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing