jump to navigation

1,000,000 InfoSec Job Openings in 2016! May 10, 2016

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy.
Tags: , , , , , , , ,
add a comment

ATT_Sec_Conf_2015-076A recent article in Forbes Magazine outlines the current and projected information security job market.  According to the article the current job market is valued at $75 billion and is expected to grow to $170 Billion by 220.  More profoundly, CISCO estimates that there are currently 1 million InfoSec job openings in the US with, according to Peninsula Press, 209,000 currently unfilled! According to Virginia Lehmkuhl-Dakhwe, director of the Jay Pinson STEM Education Center at San Jose State University “The number of jobs in information security is going to grow tenfold in the next 10 years,”

I have been fortunate to have had a great career in information security over the past 15 years.  While my experience is unique, I have had opportunity to travel the World and work with some of the largest, and most complex companies around.  I have spoken at scores of events and have published dozens of articles and white papers.

Last year I wrote a blog post about how to get into the InfoSec career field.  Two things that many people may want to know off the bat.  1) a College Degree is NOT required (although often very helpful) and 2) The pay is VERY good. (basic supply and demand).  In my experience most people could probably get into the field with anywhere from 9-18 months of self-study.  You can get in quicker if you attend course.  For more information, please read my blog post: Getting Info Information Assurance Careers.

FTC to Audit PCI Industry March 9, 2016

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , , , ,

ftc_logo_430(UPDATED) I have been in the PCI “industry” since before it was an industry.  I was fortunate to have worked with Visa in 2001 on a team that helped design the CISP requirements for Service providers and subsequently worked at MasterCard a major processor and numerous QSA firms.  I can claim (along with 2 or 3 other people) to be the FIRST assessor even before we were QDSPs then QSAs. I was the PCI SSC’s global QSA trainer and Visa’s CISP trainer.  There probably only 10 people in the industry that have been doing “PCI” type work as long as I have.  Unfortunately, we lost two of those fine folks in the last several years.  One of the most frustrating aspects of being in the PCI assessment business has been competing with the “pay and stamp” assessors.  PCI is complex and conducting a solid PCI assessment is complex and not trivial. There have always been the “bottom feeders” that will guarantee a compliant finding for a nominal  fixed price fee.  For those companies that do solid work (while I compete with them I am also friends with many and can respect their work as much as my own employers) we often find ourselves on the losing end of a bid when someone agrees to assess a Fortune 100 company for a Fixed fee of $40K.  Well..the Federal Trade Commission has taken notice!

The FTC has issued an order to 9 QSA firms to assess (pun intended) how they assess companies against the PCI DSS and how their business is structured. The 9 companies listed are:

Foresite MSP, LLC; Freed Maxick CPAs, P.C.; GuidePoint Security, LLC; Mandiant; NDB LLP; PricewaterhouseCoopers LLP; SecurityMetrics; Sword and Shield Enterprise Security, Inc.; and Verizon Enterprise Solutions (also known as CyberTrust).

Here is my beef with that list.  The one company (to remain un-named for fear of a lawsuit..but we all know who it is)..that has had 7 or so of the largest credit card breaches in history as it’s clients is not listed.  3 of the companies are ‘newbys’ and 3 are very well known and respected companies.  They should have asked for “Chris’ list” 😉

After reading the order it is clear the FTC has done their homework and knows the answers they expect to get.  This is not simply smoke and mirrors.  They are asking questions related to:

  1. The bidding process for QSA work
  2. Cost structure of PCI assessment work
  3. Time associated with the average assessment
  4. number of companies found ‘non compliant’
  5. Whether a company is found ‘compliant’ BEFORE completing all work.
  6. Sampling methodology (this is a gotcha because the required methodology is outlined in the training)
  7. Qualifications

They are then asking for a sample ROC to be provided.  I cannot applaud the FTC enough for taking this step.  It is well past time that we get the “pay and stamp” providers  out of the industry! Read the Order Here!

Chris Mark speaking at Secura Risk Management Fall Forum (Oct 28-29) October 24, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , , ,
add a comment

SecuraIf you are a bank, credit union, or work for one and want to listen to me (Chris) speak and are looking for a reason to go to beautiful Charleston, South Carolina..check out the Secura Fall Risk Management Forum!  Yours Truly will be speaking on CyberCrime and the DarkNet as well as EMV “Chip & PIN” (a misnomer but…I will not discuss here).  Should be a great event and will be in one of my favorite US cities…Charleston, South Carolina!..I have not had an opportunity to speak at a Secura event yet but they appear to be very well put together and the agenda looks very compelling.  Also, if you didn’t have a chance to attend the AT&T Cyber Security Conference in NYC, you can watch a replay of the event here!  You can see me on the ‘big stage’ talking with Jamie Wallace on Mobile Security.  It was a great event with top shelf speakers…(notice that I am rocking my Recon Jack to represent the USMC Recon Community!)

The Security Leader Lost a Visionary and Leader this Summer – Rick Dakin October 13, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , ,
add a comment

CoalfireI just learned that a fine man and information security visionary passed away this summer.  Rick Dakin was the co-founder and CEO of Coalfire, a well-respected information security company.  Over the years I have had numerous opportunities to work with Rick and interface with him.  I am truly saddened to have learned that our industry has lost such a fine man and fine leader.  Under Rick’s leadership as CEO, Coalfire grew from a regional security company into an internationally known security firm.

Rest In Peace Rick…your influence in the information security and business arena cannot be overstated.

EMV- CHIP & Choice..not Chip & PIN…Start Moving! March 23, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

platinum11chip_fr_h_1987After deviating from my ‘security’ theme, I am back to talk about InfoSec.  Last week I had the opportunity to attend Visa Accredited EMV Consultant Training at Visa’s Headquarters in Foster City, CA.  As always, Visa put on a top tier program with numerous experts in Payment Card ‘chip’ technology.  Since the topic was EMV most of the experts were from Across the Pond.  Thanks to Mark, Chris and the others for great training!

For those who are new, EMV or “Europay, MasterCard, Visa” is a technology where a microprocessor ‘chip’ is embedded in a payment card (credit card, debit card, etc.).  It is often erroneously referred too as “Chip & PIN” but EMV really only applies to the Chip technology.  If a region or issuer wants to prefer PIN, they are able.  Visa has a “Chip and Choice” model where they allow Chip with signature, no signature, or PIN depending upon the issuer, the risk and type of transaction (ie. Debit for Cash or ATM require a PIN).  There was too much information over 2 days to talk about in this post but there was one point I learned and wanted to pass on..

In October 2015, Visa is offering a ‘liability shift’ for merchants who adopt EMV.  My belief (it was wrong) until I attended the training was that the EMV liability shift only affected those merchants who 1) accepted a ‘chip’ card and on ‘chip’ transactions.  These are known as ‘chip on chip’.  It is critical that Merchants understand that the liability shift occurs for merchants who accept transacitons over a dual interface terminal (Chip and NFC) who accept transactions of ANY form.  As an example, if you accept 99% mag stripe transactions but you have dual interface terminals…the fraudulent transacion due to counterfeit have liability shifted to the issuer!  It does NOT have to be a Chip on Chip transaction.

The Second important point to remember is that Visa is offering a Technology Incentive Program (TIP) that states if a Level 1 Merchant accepts 75% of transactions over a Dual Interface terminal, they do not have to validate compliance with an onsite assessment.  There are some caveats to this so make sure you read the rules!

To get ready for implementation, ensure you download the Visa Merchant Readiness Acceptance Guide here.

%d bloggers like this: