Related Links

Related Stories

  • BSides Las Vegas: How to Find Fame as an Information Security Professional
    Self-promotion through social media is the key to improving your visibility in the information security industry Javvad Malik told an engaged audience at BSides Las Vegas on August 1st 2013.
  • Security Product Acquisition – Ten Top Tips
    Every user with a budget to spend has the same problem – how to get beyond the hype to find the right solution from the right supplier at the right price. Success, especially within information security, is essential to both company and career. Failure can be disastrous for both.
  • Lawmakers Blast Intelligence Officials Over PRISM
    Ever since Edward Snowden blew the lid off the mass surveillance project known as Operation PRISM, lawmakers have been scrambling to figure out who knew, and how deep the rabbit hole goes in terms of spying on American citizens.
  • Water Hole Replacing Spear-Phishing as State-Sponsored Weapon of Choice
    Spear-phishing is an attack that attempts to ensnare a specific individual or group of victims via email; water hole attacks wait for the victim to come to the trap. Attackers – especially state-sponsored attackers – are increasingly turning to the latter as their weapon of choice.
  • Governments are Big Buyers of Zero-Day Flaws
    The extent and sophistication of the market for zero-day vulnerabilities is becoming better understood. It appears that governments – especially the US, UK, Israel, Russia, India and Brazil – are among the biggest customers.

Top 5 Stories


CIA’s John Mullen Declares People Biggest Threat and Risk Management Best Defense

06 August 2013

People present the greatest cyber vulnerability and educating them is key to protecting your valuable information, John K. Mullen, senior operations officer at the CIA told the audience at 2013 SINET Innovation Summit in New York, August 6th 2013.

“Whether it’s a trusted insider betrayal, through blackmail or naiveté or a result of remote recruitment”, people are your main threat. “Scientists say people are more willing to share secrets online than anywhere else, and Americans fall for social pressures [social engineering] time and time again”.

It only takes one individual in thousands to betray our government, “and that one individual only needs to get it right once. One betrayal can cause loss of life, loss of profit”, he explained.

The unintentional insider threat is also a big problem, especially when your staff are mobilised and travelling abroad. Mullen gave the following advice for minimising the risk:

  1. Never lose sight or physical control of your device: “It surprises us what people put on their devices that they don’t need to take with them”
  2. Never accept files
  3. Never use local services

Mullen described his career as “playing the offense.” You can have an active offense and know a lot, he explained, but “if you don’t apply it, you’ll be beat.” While Mullen described offensive operations as “dynamic and constantly moving”, he labelled static defense as being vulnerable to “defeat over time”.

Managing Risk

Having defined the information security challenges, Mullen declared risk management as the strategy that will “protect your organisation, your IP, your ROI and your networks.” Security programs, he admitted “are not easy and they don’t generate revenue, but they’ll protect your longer-term visibility and revenue.”

The CIA often sees organisations trying to shave money from the security budget. “People are trying to protect their profits, but you need to protect what gives you your competitive edge”, he advised. Protecting information is inconvenient, but you have to consider what you can’t afford to risk. “Security and risk mitigation has to be a part of everything you do before you do it.”

“Cyber-attacks are ongoing, security technology fails, people are naïve and people may betray your company”, he said bluntly. “So identity the one thing that is most important to you and put resources into protecting that. You have a better chance of survival if you do that.”

Besides risk management, Mullen’s other significant advice for organisations is to “get as many people around the table as possible when discussing a new technology process”, with representatives from all parts of the business. “In CIA we do a pretty good job of this”, he concluded.



This article is featured in:
Compliance and Policy  •  Internet and Network Security  •  Malware and Hardware Security  •  Security Training and Education


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×