Our approach:
Whenever possible we will take time to assist the press in its efforts to inform both general and specific audiences about information security and data privacy. In addition to the articles and slides published on this site, we are happy to provide the press with further explanations of information security and privacy concepts. We can also provide comment and reaction on new trends, threats, and concerns. In the event that we do not feel we are qualified to comment, we will let you know. Furthermore, we will do our best, using our extensive netwrok of contacts, to put you in touch with someone better placed to help you. Please email sc at cobbassociates dot com if you want to set up a call. In the meantime, we hope that you find this site's resources helpful.
Stephen Cobb has been widely quoted in major publications, including The Wall Street Journal, The New York Times, The Boston Globe, The LA Times; his writings have been referenced in proceedings of the U.S. Federal Trade Commission and the British Parliament.
Why write and speak?
We write and speak to the press to further our goal of maximizing the benefits of information technology to enterprises, governments, and communities through the reduction of IT-related risk. That risk can only be reduced effectively when it is understood properly. To that end we give interviews, provide background and commentary, publish books and articles. We explain the risks to information as well as suggest ways to reduce them. We try to make the ideas and issues as accessible as possible and to make as much of our work available via the internet as we can. Lately we have been using blogs as an additional means of accomplishing this goal.
Stephen Cobb has written more than two dozen books and hundreds of articles. His books have been translated into at least ten languages, including Tagalog. The total number of Stephen Cobb books in print exceeded 1,000,000 copies somewhere around 1990.
What is infosec?
Just so we are clear, infosec is an abbreviation of information security. The three main concerns or "pillars" of information security are the Confidentiality, Integrity, and Availability of information (a handy way to remember this is through the initials: CIA). Because the goal of information security professionals is to assure the confidentiality, integrity, and availability of information, another term for information security is information assurance. For example, Stephen Cobb is an Adjunct Professor of Information Assurance at Norwich University, Vermont, which offers a Master of Science in Information Assurance. (You will find a short definition of CIA on the right; additional"pillars" of security are sometimes enumerated, as in this description of Internet security.)
Infosec is widely associated with computers but actually covers information in other forms, such as written correspondence. A subset of information security is information system security. The implication is that the information to be secured is on a computer system. That is why the foremost professional qualification in this field is the CISSP or Certified Information System Security Professional. The term "computer security" is largely synonymous with "information system security" although some purists may consider it to be a subset because some parts of an information system, such as communications links, are not in themselves computers. However, computer security is widely understood to encompass just about anything to do with information that is, at some point, processed and stored by a computer.
Say hello to the new threat, same as the old threat:
On countless occasions over the years we have been contacted by journalists wanting to know more about the latest threat to computers, email, data, privacy, the Web, the Internet, electronic banking, and so on. After first making sure that the journalist properly understands the nature of the threat we then attempt to place the threat in context. Sometimes it is much-ado-about-nothing, but too often it is a serious threat that needs to be publicized. Sadly, more times than not, we sum up our assessment with this statement: "It is probably going to get worse before it gets better."
Cynics might argue that we take a pessimistic view because it is good for business, but we can assure you that is not the case. Most information security professionals are like the physician who would prefer to be out of a job because that would mean all human ailments had been cured. Nothing would please us more than to be free to enjoy information technology with no more worries about how it might be misused. Indeed, many of the founding figures in infosec only entered the field because of some specific security problem they encountered. After all, information security was scarcely a profession twenty years ago. For example, CISSP qualification is overseen by the International Information Systems Security Certification Consortium or (ISC)² which was not formed until 1989. The first exam wasn't administered until the Fall of 1994 (Stephen Cobb took the exam in the Spring of 1996).
And when people ask us "What are the latest threats?" we often have to tell them "Same as the old threats." Consider spam and worms and viruses and phishing. All of these surged in late 2006 and early 2007. But there is little that is new about them from a technical perspective. What is new is the scale and the motivation. The scale is a function of technology adoption and improvement. There is an ever-growing pool of users from which to breed 'bad actors.' Assume ten percent of the user population is inclined to abuse systems for fun, malice, or money. These are the bad actors. Bigger user population = more bad actors. Broader availability of higher, broader bandwidth connectivity helps to accommodate the increasing number of people who want to abuse systems.
As to motivation, this is probably the most 'new' part of new threats. The stereotypical keyboard tapping teenage malcontent of ten years ago has been replaced by serious criminals, organized criminals, people intent on abusing systems to make money or take money. They are putting considerable resources into their efforts and probably reaping lucrative rewards while exposing themselves to minimal risk. One might say: Old threats, new threads.
Speaking of writing:
In addition to talking to journalists, we are always happy to consider taking on article assignments. Over the years we have sourced weekly and monthly columns for a wide range of publications as well as one-off commissions. Read more...
Speaking of speaking:
We are happy to supply or help you identify speakers on all aspects of information security to help you further the goal of educating all segments of society, and all sectors of business, on information security issues and challenges. Read more...
Stephen Cobb