Re-training Canada’s veterans for a second career in IT

Coding For Veterans

Coding for Veterans aims to help Canadian veterans transition from military service into Canada’s ICT sector by providing them industry-specific and job-focused training and mentorship to help meet this demand.


Classes are taught through our accredited educational partners. This hands-on program will be designed to give the people leaving Canada’s military the ability to transition into jobs in Canada’s IT sector.

The program will revolve around two different training streams: basic and advanced. The intro level programming course will teach individuals the skills that are essential to any computer programming job. The advanced level courses (cyber, data analytics) will enable individuals with a higher level of expertise to further their technical skills and develop a specialization in certain areas.

Work placement and industry outreach will form part of the program’s core structure, so there will be jobs available for the program’s graduates.

  • With Coding for veterans, the best and the brightest former military members will have computer programming skills and the opportunity to enter Canada’s technology-based workforce.
  • The program will provide support and resources to the graduating students.
  • A business network developed around the program with companies ready to hire veterans: certified employer partners.
  • We work and partner with Veterans Affairs to promote this program, find talent and help veterans find high-quality jobs.
  • We will provide the perfect environment for veterans to connect with employers and former military members who have successfully transitioned.

Coding for Veterans consists of 3 phases.

The 1st phase consists of assessing potential candidates for the “Coding for Veterans” program.

The 2nd phase consists of the educational components: technical and work culture. Upon completing the program, each graduate will have the necessary knowledge to specialize in the IT industry’s specific sectors.

Ultimately, each will be well-equipped to partake in meaningful employment within Canada’s Cyberspace economy.

Apply Here

3 Ways to Implement Zero Trust (ZT) Without Rebuilding Your Network

By Adam Case ( Technical Offering Manager – Cloud Identity, IBM Security )

Risk never sleeps. As mobile devices flood the enterprise (especially for a younger generation of workers), the Internet of Things (IoT) expands, and cybercriminals grow in both numbers and sophistication, many security professionals think Zero Trust is the safest approach to defending against constantly evolving network and data security threats.

Network vulnerabilities can be found in the most unlikely places. Bloomberg Businessweek, for example, described a case in which an internet port in a hotel room’s motorized, remote-control curtains offered access to the hotel’s internal computer systems. Fortunately, a cybersecurity contractor discovered that particular security gap during an audit, but the lesson rings true: In today’s connected world, unlocked doors, backdoors and trap doors could be almost anywhere.

What Is Zero Trust Security?

The term Zero Trust was coined by John Kindervag, an analyst at Forrester Research, in 2010 when the model for the concept was first presented. A few years later, Google announced that they had implemented Zero Trust security in its network, which led to a growing interest in adoption within the tech community. ZT further gain traction when in 2013, Forrester Research submitted a report submitted to the National Institute of Standards and Technology (NIST) seeking input from technology experts as part of a U.S. government cybersecurity initiative. Forrester, citing a new environment in which “changes like mobility and big data have made ‘building stronger walls’ an expensive farce that will not adequately protect networks,” introduced the concept of Zero Trust, urging organizations to “make security ubiquitous throughout the network, not just at the perimeter.”

Zero Trust refers to both a set of practices and a network design philosophy. In short, zero trust inverts the “trust but verify” approach to “verify and never trust.”

Achieve Zero Trust Security in 3 Steps

According to Forrester, organizations should ideally rebuild their networks “from the inside out,” starting with the “system resources and data repositories that we need to protect as well as the places where we need to be compliant.” However, while rebuilding the network may be a desirable long-term goal, there are myriad ways organizations can gain the benefits of zero trust without embarking on a project of that magnitude.

Here are three steps you can take to introduce zero trust security principles into your organization.

1. Strengthen Identity Validation

Although passwords are the first line of defence for most networks, 59 percent of users have the same password for multiple accounts — and it’s a good bet that the remaining 41 percent vary their passwords by only a few characters. Identity and Access Management (IAM) solutions enable organizations to enhance security by applying multifactor authentication (MFA), which may require biometric factors, such as a fingerprint or iris scan, or the use of a physical object, such as a FIDO2-supported device.

2. Segment Sensitive Data

Segmenting or microsegmenting your network enables you to keep large portions of the network safe in the event of a breach, thereby minimizing the damage. The human resources system, for example, is an obvious choice since it contains Personally Identifiable Information (PII). Experts recommend implementing network microperimeters, such as a next-generation firewall and data security controls so that intruders cannot access more than a defined subset of data, even if they can breach the perimeter defences.

3. Scrutinize Access Behaviours

In addition to guarding the network, an effective zero trust strategy includes monitoring access behaviour and using analytics to search for patterns and trends. Analytical tools, tracking access behaviour, and identifying patterns, trends and potential threats can reinforce data privacy — supporting compliance and increasing customer confidence.

The Success of Your Business Is at Stake

A network data breach puts not only customer information, such as credit card numbers but also the corporate intellectual property, employee records and more at risk. In addition to financial damage, loss of reputation and customer confidence — as well as potential legal liability if a breach is found to violate the General Data Protection Regulation (GDPR) or other privacy laws — are at stake.

Malicious hackers never rest, but neither do the good guys on corporate cybersecurity teams. The Zero Trust approach offers a myriad of weapons for the fight.

To learn more, listen to the SecurityIntelligence podcast, “Zero Trust and the Evolving Role of Identity and Access Management.”

Zero Trust is the Way to Go!

If a data breach has occurred, it’s already too late. Data breaches may not cost every company million dollars, but too often extensive and often irreversible damage to their reputation. Recent studies showed after a vendor notifies customers of a breach, one-third of customers said they would no longer do business with that company. With cybersecurity, it is best to be proactive; companies need to protect against cybercrime and data breaches before they happen.

Today, cybersecurity is a $125 billion industry and will be worth $248.26 billion by 2023, and yet regardless of the amount of money spent on preventing them, data-breaches are showing no signs of stopping. There is an absolute need for a new way to approach cybersecurity strategy.

Traditional security approaches, such as firewalls try to create a secure area, but that doesn’t work in a modern setting because of the adoption of cloud software and mobile access, as well as the sophistication of hackers. That means you need to adopt an approach that recognizes the importance of your data everywhere.

That approach is TNO, Trust No One or Zero Trust security. Zero Trust is a set of lenses to evaluate every user, verify who they are, see what data they want to access, and what security state they’re in limiting that access in a way that minimizes the exposure and attack surface, vastly reducing opportunities for bad actors to operate in, from within and without.

Zero Trust operates on three core premises to achieve maximum security:
1) Verify every user,
2) Validate every device, and
3) Intelligently limit access based on users’ specific needs.

Cybersecurity training and awareness alone aren’t enough; it only takes one weak link to compromise access. Companies have to operate on the assumption that hackers can breach their security layers at any given time. Zero Trust embodies this approach; threat, continually limiting access to address that concern, while also not overly burdening users with unnecessary authentication.

According to experts, Zero Trust is the most researched cybersecurity trend, more than biometric data, and more than blockchain. It makes sense. It is catching on. I’ll continue to promote it as one of the best security postures a company can take today.

Start reading here: Zero Trust Networks, by Doug Barth, Evan Gilman, Publisher: O’Reilly Media, Inc. Release Date: July 2017 ISBN: 9781491962183

Cybersecurity Plan

Writing a basic security plan is a must for all businesses, regardless of size. For small businesses, an essential security plan will take a few hours to draft (8 to 10 hours), and write up an inventory list (2 or 4 hours), and after that come up with relevant checklists to update and recovery should take you a few more hours (4 or 5 hours).

Note: Writing relevant information security policies, procedures, and processes draft-documentations to satisfy ISO 27001 requirement is no proportional to the size of your organization and will take a few dedicated days (4 or 5 days), and few weeks to refine.

Here’s how a small business builds its working cyber security plan. Large companies have more complex needs requiring a more sophisticated strategy and beyond the context of this article, contact me with you need assistance with your needs.

You don’t need to be an IT security expert to get the job done. If you can run an application like LibreOffice to edit a document and browse the web, you already know enough to protect your organization at a basic level, no black magic involved. Investing in cybersecurity delivers a considerable return on investment, always. Using the FCC Cyber Security Planning Guide, you can create a simple cybersecurity plan for your organization. The first draft of your cyber security plan doesn’t have to win a Pushcart Prize award, but make sure that it’s not a Flannery O’Connor Award For Short Fiction. It does it need to run hundreds of pages with chapters of fine details. Your plan needs to outline the threats you likely face, establish sound policies, procedures, and processes, with clear responsibilities for taking action.

The best security plans are simple, but they demand that everyone involved be proactive and vigilant about security. Everyone concerned should take note of which policies, processes, and procedures are working and which need to be polished, changed, or just thrown out. It’s all about involving everyone and validating your collective knowledge required to be in charge of your cyber security.

Identify and understand your risk, start by listing all your digital assets, such as emails, work files, financial records, employee information, business and project plans, schedules, clients’ data, contracts, and any other information you want to protect.

Before you can protect anything, it is essential to figure out how to achieve your goals by taking inventory of all your assets that contribute to your business and security. For many companies, this may include objectives such as:

  • Protecting your all your data, like:
    • Customer sales records
    • Customer credit card transactions
    • Customer mailing and email lists
    • Customer support information
    • Customer warranty information
    • Patient health or medical records
    • Employee payroll records
    • Employee email lists
    • Employee health and medical records
    • Business and personal financial records
    • Marketing plans
    • Business leads and inquiries
    • Product design and development plans
    • Legal, tax and financial correspondence
  • Meeting your regulatory and legislative obligations;
  • Show your suppliers and clients that you are proactive with your security, implementing and complying with best of bread standards from the ISO, NIST, and many others.

List your employees and allocate a cyber security task to every person: for example,

  • Responsible for overall cyber security, Information Security Officer;
  • Accountable for all security-led technical changes, the person most comfortable with software and hardware;
  • Responsible for scheduling and managing updates and checks, everyone with a team leader.
  • Moreover, everyone must acknowledge that they are liable for ensuring they understand the risks such as email scam and malware threats, and the need to be vigilant while in cyberspace.

Other things you have to account for with your cybersecurity policies, procedures, and processes like:

  • Accidental damage, like dropping a tablet and breaking the screen,
  • Technical failure, such as the death of a vital server,
  • Natural disasters such as earthquake, flood, and fire,
  • Crime, like, a break-in at your premises,
  • External risks like malware attacks and industrial espionage,
  • Employee negligence, such as unintentional file deletion,
  • Employee misconduct, like, stealing customer data.

Using NIST SP 800-53 R4, Security and Privacy Controls for Federal Information Systems and Organizations you can formalize your security controls to help you manage your risks and figure out which people will manger those risks best. NIST SP 800-53 and ISO 27002 will help you decide everything you need to make necessary plans about how to select controls to mitigate the risks. If you are a Microsoft Windows user, in your efforts to detect, update, recover, and practice safe computing your controls might include things like:

  • Ensure that all our mail gets swept for viruses, archived, and kept secure;
  • Use digital signature and encryption certificates
  • Encrypting and moving your data to a central file server;
  • Stop staff from storing information on their local computers;
  • Backup vital encrypted data every day, with local copies and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
  • Encrypt and store critical customer and business information locally and in the cloud (DropBox, Google Drive, iCloud, Mega, OneDrive, SpiderOak);
  • Use TNO computing (Trust No One, segmentation networking) where only people working on a given project will have access to that project’s files;
  • Enforce TNO computing and restrict access to business information like clients’ accounts and payroll to need to know only;
  • Set BitLocker or GNU Privacy Guard or AxCrypt on all your computers to protect your data against loss or theft;
  • Security-marking every piece of equipment (PC, server, laptop, tablet, mobile phone, and so on);
  • Have a third party conduct an annual audit of your physical security, locks, and alarms;
  • Update your security policies, procedures, and processes yearly and train all new staff, without exception;
  • Hold a refresher course to ensure everyone in the company is familiar with security policies, procedures, and processes changes;
  • Spot-check regularly to ensure staff take security seriously and follow established protocols.

It’s a reasonably straightforward exercise, but even a basic cybersecurity plan can save you a world of pain. To ensure the integrity of your cybersecurity plan and its policies, procedures, and processes it is wise to employ a third party to audit your cybersecurity as a whole or to merely help you implemented it, documentation, controls, et al.

You will find helpful links in the FCC Cyber Security Planning Guide.


Guide to Developing a Cyber Security and Risk Mitigation Plan – NRECA / CRN,

Cyber Security Planning Guide – FCC, (accessed February 18, 2019).

Cyser Security Bulletin T#): Scams And Frauds – US Army, (accessed February 18, 2019).

Cyber Security Planning Guide – Homeland Security | Home, (accessed February 18, 2019).

Attribution and Prosecution

Image result for cyber justice
Justice in Cyberspace

Cybercrimes are on the rise worldwide, and national law enforcement agencies around the world have very little success with arrests and fewer with prosecutions, and no matter the amount of money given the presence of cybercriminals behind bars will continue to prove elusive.

Two of the reasons are attribution and jurisdiction, cybercriminals know this and take full advantage of it.

To put a dent in this trend two things need to happen.

(1) The creation of an International Attribution Consortium[i] consisting of a “broad team of international experts would provide an independent investigation of major cyber incidents for attribution. Membership should include representatives from two sectors: (a) technical experts from cybersecurity and information technology companies, as well as academia, and (b) cyberspace policy experts, legal scholars, and international policy experts from a diversity of academic and research organizations. A credible and transparent attribution organization should not include the formal representation of nation-states, to avoid an appearance of bias and to protect transparency.”

(2) For nations to stop the current tendency of using laws (justice system) and enforcement units to advance their political and national interests. Governments need to realize that the prosecutions of cybercriminals in the jurisdiction(s) where the crime was committed benefits all concerns, especially where wanton criminal acts can traverse geographical borders creating economic and political havoc in multiple domains, and jurisdiction gridlock where the criminals are free to repeat their most successful exploits. International law enforcement cybercrime units, like Interpol and Europol Cybercrime Units, need real power to chase and arrest cybercriminals and ensure their prosecutions, hopefully in the most severe dominion.

Sadly, Item (1) is more likely anytime soon than Item (2).

Federal budget: RCMP, CSE to get new cybercrime fighting centres (Note: cybercrime fighting centres are a good worldwide trend currently, but will very little worldwide coordination.)

[i] Davis, John S. II, Benjamin Boudreaux, Jonathan William Welburn, Jair Aguirre, Cordaye Ogletree, Geoffrey McGovern, and Michael S. Chase, Stateless Attribution: Toward International Accountability in Cyberspace, Santa Monica, Calif.: RAND Corporation, RR-2081-MS, 2017.

Privacy Information Management System (PIMS)

Help is almost here with the General Data Protection Regulation (GDPR), and other information privacy acts, implementation and confirmation. ISO/IEC DIS 27552 designed to enhance the existing Information Security Management System (ISMS, see ISO/IEC 27000 series) with additional requirements to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). ISO/IEC 27552 provides a framework for Personally Identifiable Information (PII) Controllers[i] and  PII Processors[ii] to manage privacy controls reducing risks to individuals’ privacy rights. It acts as an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management, requirements and guidelines.

The ISO/IEC 27552 augments the existing ISMS with privacy-specific controls and creates PIMS to enable effective organization’s privacy management. A well thought out PIMS implementation can bring about many potential benefits for PII Controllers and Processors.

First, managing compliance with various privacy regulations and policies from numerous jurisdictions can be burdensome especially when no one organized the laws in a manner to optimize the application of PII controllers and processors. Annex C demonstrates that one single control can account for multiple requirements from the General Data Protection Regulation (GDPR). Using the standard can significantly reduce the complexity in meeting regulations.

Second, the requirement for Data Protection Officers will help provide evidence to senior management and organization board members on their progress in regulatory privacy compliance. Compliance evidence based on PIMS and, potentially, its certification can provide the necessary assurance to senior management and board members that the organization implementation meets the applicable privacy requirements.

Third, PIMS certification can be valuable in demonstrating an organization’s privacy compliance to customers, partners, and authorities. PII controllers generally demand evidence from PII processors that the processors’ privacy management system adheres to required privacy requirements. A consistent evidence framework based on the international standard can greatly simplify such proof of compliance transparency, especially when the evidence needs validation by an accredited third-party auditor. A well implemented and reviewed ISO/IEC 27552 is a necessity for the all-important compliance transparency so critical for an organization’s strategic business decisions such as mergers and acquisitions. It will play a significant role also where multiple organizations develop and implement scenarios involving data sharing agreement. Lastly, certifying an organization’s PIMS can potentially serve to signal trustworthiness to the public.

The standard segregates the requirements into the four following groups:

  • Clause 5 outlines PIMS requirements related to ISO/IEC 27001.
  • Clause 6 outlines PIMS requirements related to ISO/IEC 27002.
  • Clause 7 outlines PIMS guidance for PII Controllers.
  • Clause 8 describes PIMS guidance for PII Processors.

Further, ISO/IEC 27552 includes the following informative Annexes:

  • Annex A lists all appropriate controls for PII Controllers.
  • Annex B lists all suitable controls for PII Processors.
  • Annex C charts ISO/IEC 27552 controls against GDPR.
  • Annex D charts ISO/IEC 27552 controls against ISO/IEC 29100.
  • Annex E charts ISO/IEC 27552 controls against ISO/IEC 27018.
  • Annex F charts ISO/IEC 27552 controls against ISO/IEC 29151.

ISO/IEC 29100:2011 – Privacy Framework specifies a common privacy terminology; defines the actors and their roles in processing PII; describes privacy safeguarding considerations, and provides references to known privacy principles for information technology. You can download a copy of ISO/IEC 29100:2011.

ISO/IEC 27018 presents commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in line with ISO/IEC 29100’s privacy principles in cyberspace (the public cloud computing environment).

ISO/IEC 29151:2017 establishes control objectives, controls and guidelines for implementing controls, to meet the requirements identified by a risk and impact assessment related to the protection of PII.

[i] PII controller (or data controller in some jurisdictions) is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. or might be directly or indirectly linked to a PII principal.

[ii] A public cloud service provider is a ‘PII processor’ when it processes PII for and according to the instructions of a cloud service customer. … NOTE Where the public cloud PII processor is processing cloud service customer account data, it might be acting as a PII controller for this purpose.

Semper Paratus

Cyberwarfare and cybercrimes are here to stay, no doubt about that. No matter the size of your network it is imperative to be proactive and prepare for the future. It’s of utmost importance for all organizations to take the necessary basic precautions now to provide defence on what is now the front line of the future.

Risk management is critical to forming the basis of a sound and strategic cybersecurity program for organizations of all sizes. One can accomplish this through an initial risk assessment where one identifies, categorizes, and ranks data according to the perceived impact on an organization should its data be exposed, lost or stolen; you aim to have the basics in place before disaster strikes. For example, at a bare minimum, any organizations should take the following seven steps to protect their data.

All organizations no matter its size should consider the following seven steps to protect their data, supported with standards and guidelines:

1. Set up multi-factor authentication for all users accessing your network, without exception.

  • To help you understand this 2FA’s process, NIST presents a simple primer entitled: Back to basics: Multi-factor authentication (MFA).
  • Further, it serves well to have a copy of ISO/IEC 27001:2013 – Information Security Management System – Requirements. The standard’s requirements are generic and suitable to apply to all organizations regardless of type, size, and nature. They specify how to establish best, implement, maintain, and continually improve your organization’s Information Security Management System (ISMS). More importantly, it provides assessment and treatment methods to tailor information security risks to the organization’s needs. To help implement Item 1, see the following requirements in ISO/IEC 27001:2013:
    • A.9.1.1 – Access control policy
      A.10.1.1 – Policy on the use of cryptographic controls
      A.11.2.9 – Clear desk and clear screen policy
      A.14.1.1 – Information security requirements analysis and specification
      A.14.1.2 – Securing application services on public networks
      A.14.1.3 – Protecting application services transactions
      A.14.2.5 – Secure system engineering principles
    • A.9.1.2 – Access to networks and networks services
      A.13.1.2 – Security of network services
      A.13.1.3 – Segregation in networks
      A.13.2.3 – Electronic messaging
    • A.9.4.2 – Secure log-on procedures
      A.9.4.4 – Use of privileged utility programs
    • A.11.1.2 – Physical entry controls

2. Most importantly, it is critical that you utilized access control to manage who gets access to what data.

  • Consider ISO/IEC 29146:2016 — A Framework for Identity Management. It defines and establishes a Framework for Access Management (FAM) with pointers for the secure management of the processes to access information and Information and Communications Technologies (ICT) resources.
  • Organizations should implement Zero Trust architecture; this network segmentation approach allows an organization to adopt a “verify all” approach to data access.

3. Use encryption to protect data at rest and in the transfer.

4. Enable access to secure, automatic and always encrypted backups (keep Items 1, 2, and 3 in mind).

5. Restrictively manage your vendors and partners accessing your systems.

6. Be sure to develop and implement a well-exercised disaster recovery and continuity of operations plans, and more importantly make sure it includes an alternate location to deliver.

7. Engage cybersecurity frameworks and other regulatory controls to manage and monitor systems.


Understanding The Implications Cyberwarfare Has On Your…, (accessed February 02, 2019).

Take away from US DNI’s report

The Daniel R. Coats, US Director of National Intelligence, Statement for the Record Worldwide Threat Assessment of the US Intelligence Community delivered on January 29, 2019, to the US Senate Select Committee on Intelligence is an interesting read from which we can draw lessons to spur our cyber and information security proactively.

Here are three critical cybersecurity-related takeaways from the report.

1. China and Russia have unprecedented power to target any infrastructure and population. Other, like Iran and North Korea, remain severe threats for cyber espionage leading to financial and supply chain disruptions.

2. Cybercriminals will continue to conduct for-profit, cyber-enabled theft and extortion against any networks endangering economic health and competitiveness essential to many countries’ national security.

3. Cyberwarfare is now part and parcel of most military’s arsenal, and the scale of the threat is outstripping most nations, never mind most organizations’ ability to defend against an act of aggression in cyberspace.

The report’s conclusions apply to just about any nations.

In the face of the current environment in regards to cyber threats, most nations lack a coherent cyber doctrine that a minimum will best defend and minimize damage to their infrastructure. They need cyber policies, procedures, and processes that proactively define their country’s intentions and interests in cyberspace; clearly articulates online actions that they want to encourage and those that they will not tolerate; and at the last recourse develop retaliatory measures to be applied once they achieve a clear independent verifiable attribution.

My take is that ultimately it is unlikely that any one nation or alliances will be able to change their adversaries’ political aims and agenda in cyberspace. Sadly, many will think it is worth the risk of provoking others in cyberspace to exercise their cyber warfare capabilities and extend their reach, especially the big boys like China, Russia, and the United States. Thrown into the mix are smaller nations that will refine their cyber warfare capabilities to augment their security and military capabilities as a more cost-effective way to spy and wage war. Moreover, there is always treachery on the part of unattributed actors such as thrillseekers, rog terrorists, or criminals triggering a cyberwar.

It’s ugly out there, and it is getting frightfully nasty for passive bystanders. Nevertheless, individuals can still be proactive with their security and deflect some dangers.


Coats, D. (2019). Statement for the Record Worldwide Threat Assessment of the US Intelligence Community January 29, 2019. PDF Available at:—SSCI.pdf [Accessed 1 Feb. 2019].

Coats, Daniel R. 1943- [worldcat Identities],  (accessed February 01, 2019).

M&A Network Security Due Diligence

Everyone knows that merging to companies is all about due diligence! When companies do mergers and acquisitions, most of the due diligence is around financials and legal risks, and in many cases intellectual property, still. What I don’t see is companies focusing on the cyber and information due-diligence by digging deeper into whether the company has a breach or a compromise.

In 2017 Avast had a nasty surprise when it acquired Piriform. Hackers compromised its CCleaner application, which ultimately led to 2.27 million downloads of the corrupt CCleaner version, putting millions of users at risk. In 2018, Marriott merged with Starwood, where hackers had access over 500 million customers’ data because of a security breach on the Starwood’s network.

These will undoubtedly change the merger and acquisition processes from now on, or at least they should. If they included a focus on cyber and information security during their due diligence, I’m sure they would have been able to find at least some indication, that things were amiss.

When merging any two networks, even internal ones, there is a need to catalog and inventory; Open Audit is a good start. Also, the ISO/IEC 19770 Information Technology – IT Asset Management standard series will considerably improve accountability in a trust but verify approach.

In your proactive approach to security download the Network Security Toolkit for best of breed Open Source Network Security Applications to monitor and help secure all the networks before their merger; and make the NST part and parcel of your network security process and procedure. Another good website to visit is INSECURE.ORG; a repository of the top 125 network security tools for vulnerability scan and penetration testing, among many other useful tools and applications to help keep your network secure.

Remember it is an ugly world out there, be proactive with your security, always!

Reference: The CIO’s M&A Blog

Compliance is good for business!

When the EU’s General Data Protection Regulation Experiment (GDPR) went into effect in May 2018, many companies were caught flat-footed. Eight months later, it looks like many organizations have caught up. According to Cisco, around 60% of organizations surveyed have met most or all of the GDPR. A further 30% of organizations are expected to reach the regulations in the next year. That last 10% estimated that GDPR-compliance was more than a year away.

Half a year into the GDPR experiment, and it turns out that following GDPR have a positive effect on improving a company’s data security and resilience in the face of cybersecurity threats.

The GDPR focuses on privacy regulations for companies located in and doing business with the European Union. It imposes strict rules to protect personal information, with hefty fines attached to companies that break the rules. Additionally, it ensures that data breaches are made known to authorities within 72 hours.

A recent study of over three thousand security professionals from Cisco’s Data Privacy Benchmark Survey found that being GDPR-compliant has some positive downstream effects beyond avoiding a costly fine from the EU Commission, like:

  • Enhance Your Cybersecurity (Better data security with better alignment with evolving technologies)
  • Improve Data Management (greater decision making)
  • Increase Marketing Return On Investment (reduce maintenance costs)
  • Boost Audience Loyalty And Trust (Improved consumer confidence)

For clients (consumers) the benefits are also excellent.

  • Right to marketing consent
  • Right to be forgotten (erased)
  • Freedom to change data
  • Right to portability, and of course
  • Right to access

Wow! It turns out the EU regulators knew what’s what!

Reminder: Privacy is personal, meaning something we create for ourselves (which in the natural world we do with clothing and shelter, both of which lack equivalents in the digital world). Privacy is not something supplied by the grace of privacy policies and terms of service that differ with every company, and over which none of us have control.” Doc Searls, editor-in-chief, Linux Journal.