Stories by Mathias Thurman

Some security weaknesses can't be found with a scan or a vulnerability assessment of the infrastructure. As a security manager, you have to keep your eyes open for things that aren't as secure as they should be, based on any evidence that comes your way. That happened to me a few weeks ago, in just about the best way possible. We were able to take steps to tighten security in a particular area after an incident that could have been damaging but actually wasn't. I wish all our security lessons could be so benign.

People like to ask the security manager, "What keeps you up at night?" My usual answer: "Employees." And there's good reason. About 95% of the security incidents my department responds to are a result of an employee doing the wrong thing, whether it's clicking on an evil link within an email, installing a malicious program or sending a sensitive document outside the company.

The resources on our network have been given too much access to the Internet, and we need to curb that.

When it was time to write this column, the only thing on my mind was the OpenSSL Heartbleed vulnerability. If you have anything to do with infosec, it was probably dominating your days as well.

My company is always looking for ways to save money. One maneuver -- outsourcing the development of a module of one of our software products -- almost cost us big time.

It started out as a simple call to the help desk from an engineer at one of our major development centers: Phone calls were being dropped. Soon, similar complaints were coming in from other engineers, as well as from sales associates, who said the inability to maintain phone calls was making it difficult to close deals.

Thank you, Target! It's a pity that security managers have to capitalize on other organizations' misfortunes to broker change within their own enterprises, but the notorious Target breach of late last year just might get me some things I think my company has needed.

As a security manager, I expect my company to be hit by malware infestations, data theft, denial-of-service attacks and attempts at unauthorized access. I deal with them all as they arise, and they do keep things interesting.

Implementing technology to monitor user and network activity can be an eye-opener.

We looked into mobile device management (MDM) in 2012, but the time didn't seem right. Now, some 18 months later, things have changed, and MDM is looking more like a good fit for us.

Security incidents are a complete disruption of my normal day-to-day activities. I love them. I especially like it when they uncover systemic problems we might not otherwise have found out about. We had one of those this week.

Every fall, I conduct a policy review. I think it's a good idea to have this on my calendar, because no policy, no matter how well crafted, is meant to last for all time. New standards arise and old ones are modified, making some policies deficient. Or a security incident, an audit or some business reality that was previously unacknowledged emerges to demonstrate how a policy falls short.

We just found 30 servers that can't be accounted for. Thirty Internet-facing servers with no malware protection and patchy patch histories. I need to take a deep breath and figure out just how bad this is and what we can do to stop this sort of thing from happening again.

I love DLP! That's not a statement that would sell a chief financial officer on data leak prevention, but I can show real ROI from our deployment as well.

I took somebody's word for something, and I didn't subsequently check it out to my own satisfaction. Result: big trouble. Lesson: always verify.