In the Middle Ages, heavily fortified countercastles were built throughout a land to stop enemies from advancing too far into a kingdom. A layered defense dotting the landscape was best, since an enemy could appear at any time, from any direction.
Today, bad guys can materialize anywhere in cyberspace — or even in many places simultaneously — which means your defenses need to be interwoven everywhere throughout your network, systems, and human behavior.
Interweaving security requires tailoring it to the people, processes, and systems that are vulnerable, which means generic security isn't effective,1 as proven by the billions of dollars lost each year to cybercrime.2 When the federal government suffered the worst data breach in U.S. history,3 it was due to the dangerous misconception that generic security tools were working. But in truth, management had no idea where its gaps actually were.
Defending all fronts requires:
Learn more about our services, contact us to get started, or follow us on Twitter.
Active in security since 1985, Scotch is a cybersecurity consultant, researcher, hacker, writer, and speaker.
A sought-after expert in building security programs, risk and gap analysis, compliance and legal issues, penetration testing, security architecture, fraud prevention, counterintelligence, and security training, his past clients have included companies like Cisco, Intuit, Sempra, Mitsubishi, and Viacom. A FBI Infrastructure Liason, Scotch currently serves as an on-demand Chief Information Security Officer (CISO) for a variety of Los Angeles area clients.
Career highlights include 9 years as a security architect and engineer at Wells Fargo, where he helped design the company's fraud detection, 2-factor authentication, E-vault, crypto acceleration, DMZ, cloud, and load balancing schemes, while innovating the use of honeypots to aid F.B.I. fraud investigations.
He also spent 5 years as a Security Principal at Sempra, where he managed the security architecture and penetration testing of over 90 projects, some with billion-dollar budgets, while following Homeland Security, Department of Energy, and NIST best practices.
Scotch studied English literature and computer science at the University of California, cryptography at Stanford, and Risk Management at Texas A&M. He is a member of the Upsilon Pi Epsilon (UPE) Honor Society for Computing Disciplines, and received his M.S. in Cybersecurity from the University of Maryland, a NSA Center of Excellence. He holds CISSP, CISM, and Certified Ethical Hacker (CEH) certifications.
Scotch remains an avid security researcher and critical theorist, with a strong focus on security's intersections with virtual spaces, artificial intelligence, espionage, psychology, popular culture, creativity, and the arts. A longtime performance artist himself, his paper "Kidnapping As Art" (MIT Press) explored the economics of "art kidnappings." He also authored the absurdist comedy novel, Two Performance Artists Kidnap Their Boss And Do Things With Him (Freakshow Books), which won the Silver Award for Best New Voice from the Independent Book Publisher's Association in 2015 — and of course, it features plenty of hacking.
- Siponen, M. (2003, July). Information Security Management Standards: Problems and Solutions. In 7th Pacific Asia Conference on Information Systems (pp. 1550-1561). Proc. in PACIS, Adelaide, South Australia. Retrieved from: https://pdfs.semanticscholar.org/f5df/7683b6 51f9a90cb27fc30041a98311504a15.pdf
- Nakashima, E. (2015, July 9). Hacks of OPM databases compromised 22.1 million people, federal authorities say. The Washington Post. Retrieved from: https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/
- Nakashima, E., & Peterson, A. (2014, June 9). Report: Cybercrime and espionage costs $445 billion annually. The Washington Post. Retrieved from: https://www.washingtonpost.com/world/national-security/report-cybercrime-and-espionage-costs-445-billion-annually/2014/06/08/8995291c-ecce-11e3-9f5c-9075d5508f0a_story.html
- Worth, D. (2016, March 4). Almost 50 percent of companies do not know where their data is stored. The Inquirer. Retrieved from: http://www.theinquirer.net/inquirer/news/2449713/almost-half-of-firms-do-not-know-where-their-data-is-stored
- Chen, C. C., Shaw, R. S., & Yang, S. C. (2006). Mitigating information security risks by increasing user security awareness: A case study of an information security awareness system. Information Technology, Learning, and Performance Journal, 24(1), 1. Retrieved from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.102.5945&rep=rep1&type=pdf