Archives for March 2015

Is Your Company At Risk of Suffering a Cyber Attack for Political or Propaganda Reasons?

cyber Tuesday option 3The following post is the second in a series authored by Rob Dannenberg intended to educate readers about the nature of cyber risk and assist in assessing and improving organizational ability to effectively prepare for and respond to the evolving threat.  Rob wrote on The Rapidly Changing World of Cyber Riskin his previous post.  Here he examines how companies must consider their political, foreign policy or national security activities as part of cyber risk management.

In the context of the cyber risk environment with nation-state actors such as Iran and North Korea (and non-state actors such as Anonymous) attacking targets for political and propaganda reasons, it is important for enterprises to make an honest assessment of their risk of being targeted by one of these mal-actors as a first step in preparing to manage the risk.

It is also advantageous to understand that nation-state cyber actors devote a significant amount of resources surfing the Internet and media for potential targets.  While not infinite, the resources countries like Russia, China, Iran and North Korea can devote to Internet-based targeting are considerable and far more in depth than commonly imagined.  Very few private sector companies devote adequate resources to understanding what is said or written about their firm and its activities on the Internet.  Fewer still examine that information from the perspective of a potential nation-state mal-actor.

By suggesting awareness of political/foreign policy exposure I am not suggesting a firm should not be engaged in those activities.  However, a firm should understand the  risk of it being targeted if those activities come to the attention of a potential adversary.

Let’s start with some basic questions that should help you understand where your firm might be on a potential targeting matrix.  It may not be necessary to explore in-depth the answers to all of these questions, but a general assessment of this risk should be available to the firm’s risk managers.

The framework for these questions lies in asking why you would be targeted for political or propaganda purposes.

Are the firm’s senior executives publicly engaged in political, foreign policy-related or national security policy-related activities?

  • If so, does the firm routinely monitor the activities to assess how they would be perceived by a potential adversary?

What is the firm’s international profile?  In which countries does it operate and is it engaged in political, foreign or national security policy activities abroad?

Is there awareness in the firm of the political/foreign policy/security policy activities of the firm’s major clients?  Is the firm part of the critical infrastructure or does it have enterprise significance for those clients?

  • What information is publicly available about the relationship between the firm and clients?

In addition to having little awareness of political risk exposure, many firms fail to do an honest triage of their data and systems and fail to understand what may be at risk.  The executive correspondence compromised in the Sony Pictures and Entertainment attack is a classic example of failure to apply The Washington Post test* to data.  Here are some basic questions to consider in that triage.

What data, if exposed, would cause significant reputational damage to the firm?

What data/systems critical to your enterprise  would interrupt or halt business operations if compromised?

What client/customer data does the firm hold and what would be the effect on the firm or the firm’s clients if this information was compromised or lost?

What is the firm’s reliance upon subcontractors for critical enterprise operations and what would be the effect on the firm if an attack was directed at critical subcontractors?

  • Does the firm have any knowledge of the cybersecurity or resiliency discipline of critical subcontractors?

What information is publicly available on the firm’s senior executives, the firm’s organizational hierarchy and client/subcontractor relationships? (This is key targeting data for a potential adversary.)

What sort of redundancy does the firm’s information and data processing architecture have?

  • How much is managed internally and how much is outsourced?

Does the firm have any closed systems, i.e., systems not accessible by the Internet?

How is executive correspondence processed and retained?

Does the firm have an insider threat program?

Does the firm monitor the social media activity of current and former employees — especially those who have/had access to critical systems and data?

Does the firm periodically review access privileges and adjust to a strict “need to know” standard?

Use these  starter questions to help develop an understanding of how the firm could become a target and what may be at risk.

*Organizations are regularly counseled to ask whether they would mind reading about data they possess on the front page of The Washington Post.


By Robert Dannenberg, SDI Cyber Risk Practice

In an upcoming post  we will take a look at cyber crisis management planning and strategies.

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

March 31, 2015

Who’s Afraid of the Big, Bad, Cyber Wolf?

cyber Tuesday option 3One would think that by spring of 2015, every business in the country would not only admit to fears about their cybersecurity posture, but be actively engaged in strengthening their capability to effectively respond to cyber attacks. In large measure that is true. For example, the Association of Finance Professionals says  71% of its member organizations having increased spending dedicated to mitigating possible cyber attacks over the past year and a quarter, boosting spending by at least 50%. But what about the others? The outliers?

There is another line of thought emerging which is very interesting.  There are some who believe that the very reputation of a company provides sufficient protection against cyber threats. The reasoning goes like this. The biggest brands can easily sustain the costs of a significant cyber breach. Apostles of this reasoning point to high profile breaches like those sustained by Sony or Target and suggest that the actual damage to the bottom line is not big enough to warrant significant investment in data security.

Taken at face value, Sony’s estimate that the costs of investigation and remediation activities stemming from the recent breach at Sony Pictures and Entertainment would be $35 million through March 31, 2015, seems a drop in the bucket for a company of Sony’s size.  However, the Ponemon Institute’s 2014 Global Report on the Cost of Cyber Crime states that  investigation and initial remediation activities like incident response and management represent about a third of the cost of a breach.  This suggests Sony’s cost might approach $100 million. One assumes companies of Sony’s size do not readily embrace $100 million losses, but can sustain them and continue to do well. Yet consider that these losses may tell only part of the story.

Begin with the obvious. Sony is a technology company. Its reputation clearly has taken a hit, given that this latest breach was preceded by the Sony Playstation breach in 2011 which cost an estimated $177 million. Suffering two high profile breaches in a short period will call into question security practices, a likelihood sure to play out in the litigation ensuing from the Sony Pictures breach.  Amy Pascal, Co-chair of Sony Pictures, lost her job after embarrassing information taken during the breach was made public. The information that was taken and released alienated employees, compromised strategic plans, and altered production schedules. Perhaps even more significantly, we do not know the extent of the intellectual property that was taken, and how much potential future revenue will be foregone because of its loss. This last point is worth examination. The loss of intellectual property can seriously compromise the future plans of any company.

Your brand and reputation may well contribute to your resiliency. High end, well established brands with loyal customer bases will have a far better opportunity to mitigate their losses from a breach than will brands with little reach and modest reputation. But make no mistake, the brand and reputation will be affected. Just how much will depend on how well the company does in managing response to the breach. Keep in mind that there is no guarantee that you will not suffer multiple breaches, each taking its toll, and collectively calling into question how seriously the company takes its responsibility to protect its data. It is fiscally prudent to ensure that the practices you adopt in cybersecurity represent recognized best practices.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

March 24, 2015

6 Ways to Reduce Work Distractions

Office Distraction 2The workday is full of endless distractions. Just looking out your window can provide hours of entertainment. My view of K Street in Washington, D.C. features a steady stream of business people walking briskly to important appointments and lunch meetings; tourists who I assume wandered too far from the National Mall in search of a cheap lunch spot; an endless supply of impatient drivers honking their horns in bumper-to-bumper traffic; and joggers … so many joggers.

But looking out your window is just one of countless tempting diversions, many easily accessible and threatening to your professional success; none so insidious as your digital tools. Everything from the world wide web to your handy-dandy smartphone can cause you to lose focus on that important report and throw you into a tailspin of mindless clicking and consumption of shallow entertainment news.

To reduce work distractions and keep your employers swooning over your performance, consider these six simple steps:

  1. Dedicate a couple minutes each hour to decompress

It’s difficult to stay focused on your work with so many distractions just a click away. Tantalizing Buzzfeed headlines and pop culture listicles lure us from serious research, and within seconds our day is derailed with thoughts of the 15 stunning photos that will make you want to see the world, and 21 dogs who made poor life choices. (As I write this, I’m fighting the urge to revisit photos number 4 and 17, respectively.)

Rather than completely eliminate these fun yet unproductive temptations, dedicate a couple minutes each hour to indulge. If you’re experiencing writer’s block, a tough equation or simply need to give your eyes a rest from a spreadsheet, shifting focus for those few minutes can refresh your mind and stimulate your creativity.

  1. Schedule your time on social media

There’s no better place to find our favorite listicles, gifs, and videos than on social media, which reigns as the top deterrent of productivity. According to a report conducted by Business Insider, Americans spend more time on social media than any other Internet activity, including email. That’s great news for Facebook, Twitter, Instagram, Snapchat and the countless other social apps taking up storage on our smartphones; bad news for your employer.

To avoid wasting hours on social media, and possible disciplinary action from your boss, schedule your time on social media. Allot 10 minutes before the work day begins and maybe 10 minutes over your lunch break. That way, you’ll feed your appetite for social connectivity without wasting billable hours.

  1. When in the office, keep your smartphone out of sight if not being used for business

It’s hard to disconnect from social media, especially when you see new alerts popping up on your phone from the corner of your eye. Sure, we make valiant efforts to fight temptation and tell ourselves Twitter can wait, but most of the time the desire to know who retweeted our hilarious commentary on Hillary’s email-gate is too great. The best way to avoid such a conundrum is to keep our phones out of sight as much as possible while in the office. It won’t be easy, but it will increase your focus and productivity.

  1. Don’t stop for every email

The average person receives approximately 105 emails per day. If you stop to check every incoming email or read every message popup before it fades, you lose momentum and productivity. Give yourself a time interval, say every 15 to 30 minutes to check email (unless you’re expecting something from the boss). If Senators Lindsey Graham and Chuck Schumer can be successful without email, chances are you can cut back and be just fine.

  1. Avoid music with lyrics

White noise in the backdrop of the workday can be a stress reliever and help you keep focus. Spotify, Pandora and YouTube can set the rhythm and help keep spirits high, but if you’re hoping to avoid distractions, you’ll also need to avoid some of your favorite channels. Taylor Swift’s sick beats are great when you’re getting ready for a night on the town, but won’t help you prepare for a client meeting.

To reduce distraction, avoid music with lyrics. Jazz or classical stations are great for relaxing, filler noise and won’t tempt you show off your sweet dance moves in the middle of the office.

  1. Plan your day (as best as you can)

When you have a daunting work load and everything requires immediate attention, it’s easy to stare at your computer screen and let yourself become overwhelmed by your to-do list. Without a plan of attack, you leave yourself open to any distraction that will keep you from starting your busy day.

Creating a plan will help overcome the onset of professional paralysis when staring down the barrel of an action-packed day. List your tasks in order of importance, and assign a time limit to keep you on track.

Of course, there will be days that are completely unpredictable and you’re hit with one urgent task after another, rendering your plan irrelevant. But on a regular basis, planning out your work day will keep you organized, reduce stress and help you overcome the limitless distractions that coincide with being overwhelmed.

Now having read this, how many of you clicked on the photos and song titles while at work? If it was during your allotted few minutes this hour, well, good for you.


By Nicole Tieman, SDI, March 19, 2015

The Rapidly Changing World of Cyber Risk

cyber Tuesday option 3The following post introduces a series that will educate readers about the nature of cyber risk and assist in assessing and improving the ability to effectively prepare for and respond to the evolving threat.

The world of private sector cyber risk changed forever in 2014.  While there has always been cyber risk to enterprises from criminals, hackers, or hacktivist groups with criminal or political agendas, most of this activity was directed at firms that had some awareness they were at risk of cyber attack and had undertaken some preparation to manage the risk. What we saw in 2014 for the first time in any meaningful sense was attacks on second or third order targets in the United States by nation-state cyber actors for political or propaganda reasons.  Two cases illustrate how the risk changed in 2014.

In October 2013, Sheldon Adelson, chairman and CEO of Las Vegas Sands,  gave a talk at Yeshiva University in which he suggested demonstrating to Iran the potential risk of their nuclear weapons aspirations by the United States launching a nuclear missile and detonating it in a remote spot in the desert of Iran.  Adelson’s remarks, when leaked, provoked a strong reaction from Iran. Four months later Las Vegas Sands suffered a massive cyber attack in which — among other effects — the attackers rewrote a piece of the firm’s Visual Basic code to destroy data on the firm’s systems and exfiltrate personal data on the firm’s clients and customers. Forensic evidence linked the attackers to servers in Iran.  In February 2015, U.S. Director of National Intelligence, James Clapper, confirmed the attack was conducted by Iran.

In late 2013 and early 2014, Sony Pictures and Entertainment (SPE) was working on a film called “The Interview” in which the CIA hires operatives to assassinate North Korean leader Kim Jong-Un.  On November 21, 2014, a number of SPE senior executives received extortionary emails from a group called God’s Apostles. Most of the executives thought the emails were SPAM and simply deleted them. The following day a massive cyber attack was executed on SPE in which intellectual property was stolen, privileged executive correspondence was stolen and leaked, Twitter accounts were taken over, sensitive salary information was leaked and terabytes of data destroyed. The enterprise was effectively shut down.  Although the main attack was purportedly conducted by a group called Guardians of Peace, forensic research suggested and U.S. Intelligence later confirmed, the attack was carried out by North Korea.

In both cases the targets had not previously considered themselves at risk of state sponsored cyber assault and were thus unprepared to manage that sort of risk.  Significantly, to the attackers, North Korea and Iran, there was no significant consequence to their attacks and tremendous political and propaganda value.  They now understand the impact of attacks on second and third order targets in the United States.

This message is not lost on other potential cyber malactors with a political, propaganda or terrorist agenda, either nation-state or non-state.  The risk has gone up immensely for U.S. firms and it is incumbent on firms to more aggressively work to understand and manage this risk.


By Robert Dannenberg, SDI Cyber Risk Practice

Where does your firm stand in the target matrix for cyber malactors?  We’ll address this in an upcoming post in the series.

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

March 17, 2015

March Signifies Helen Reddy Song, “I Am Woman, Hear Me Roar”

Betty McIntoshOne hundred years old, how else is Betty McIntosh remarkable? She gave 40 of those years to our nation in the field of intelligence. Yes, she was a spy, one of the few courageous women to work overseas for the Office of Strategic Services (OSS) during World War II, and then for the agency it generated, the CIA. Although very much in a male environment, she took a back seat to no one. What did she do? Once a spy, always a spy – she’s not saying, even now, other than use her communications background to the fullest.

Betty turned 100 March 1, the first day of Women’s History Month. It’s a fitting coincidence given her career and pioneering spirit. But it’s no coincidence that she along with other exceptional historic and contemporary women land in our thoughts this month.
Women’s History Month began in 1978 as a weeklong celebration in a California school district. By 1987 it had caught on across the country and Congress proclaimed March the month of celebration.

This year, SDI applauds another very accomplished woman honored. SDI client LUNGevity chose the month as a platform to name Dr. Julie Brahmer, groundbreaking researcher in immunotherapy for lung cancer patients, its March LUNGevity Hero. In its release on the announcement, LUNGevity captured the essence of what constitutes entry into the fellowship of notable women: “LUNGevity is fortunate to be witnessing first-hand the extraordinary impact Dr. Brahmer’s work has had and will continue to have on those fighting the disease.  We are entering a revolutionary time for lung cancer research and Dr. Brahmer is at the forefront.”

Beyond our nation’s borders, Sunday marked International Women’s Day, an annual event celebrated on March 8 since 1911 that ever more creatively refocuses attention on women’s political, social and economic impact in the world, and the barriers that remain to full equality.

In one example, the Clinton Foundation removed images of women icons from public media across New York to call attention to gender equality and drive online traffic to its “No Ceilings” initiative launched the same day. No Ceilings is a data-driven path to full participation by women in the 21st century.

In another, Vital Voices sponsored 72 Mentoring Walks in over 51 countries to connect women leaders with upcoming generations in a mentoring exercise, building supportive bonds and momentum. Vital Voices is an incubator and accelerator of extraordinary women around the globe who demonstrate leadership potential in their communities, often in the face of great odds.

SDI salutes the sung and unsung women who rise beyond their times and circumstances as enduring role models for generations to come.

Women’s History Month and International Women’s Day are needed reminders of where we’ve been, and where we’re going.


By Jayne Davis, SDI, March 12, 2015

Vital Voices Global Partnership and Plan International Host U.S. Premiere of India’s Daughter

Vital Voices - India's Daughter

Meryl Streep, Freida Pinto, and Film Director Leslee Udwin Join Film Premiere and Panel Discussion

NEW YORK, March 10, 2015 /PRNewswire-USNewswire/ — Yesterday, Vital Voices Global Partnership and Plan International hosted the U.S. premiere of India’s Daughter, a feature-length documentary from the award-winning director and producer Leslee Udwin and distributed by Women Make Movies. The film details the aftermath of the 2012 Delhi gang rape that shook the Indian subcontinent and sparked heated dialogue on violence against women and girls around the world which has continued to spark more controversy since the Indian government has now banned the film from airing in that country.

India’s Daughter reveals the shocking, ingrained cultural norms and viewpoints on women that persist globally. The film features detailed interviews with the perpetrators of the crime, uncovering attitudes symptomatic of a culture of impunity in which violence against women goes unchecked. Exposing an understanding these points of view is critical to addressing the issue of violence against women openly in society. “The rapists are not the disease – they are symptoms”, said Leslee Udwin, “Gender-inequality is the primary tumor and rape, trafficking, child marriage, female foeticide, honor killings and so on, are the metastases. If we wish to tackle this issue effectively, we must address these attitudes and the mindset they inform.”

For over 17 years, Vital Voices has partnered with both women and men who are working to end violence against women. These leaders work to help advance the full implementation of laws, increase public awareness around this issue, and contribute to the creation of a world where women are free from violence. Plan International has been campaigning for girls’ rights across the globe since 2007. Their grassroots work empowers girls to realize their rights and supports them to stand up against violence and discrimination.

India’s Daughter shows the horror of gender-based violence.  But it also shows it is possible to bring about change starting at the community level, with basic things like ensuring that the education young people receive — and by extension their families — includes building an understanding of and respect for gender equality,” says Tessie San Martin, President & CEO of Plan International USA and Alyse Nelson, President & CEO of Vital Voices. “The film also demonstrates the importance of investing in and working with women and men who are the frontlines of change; it is critical to support these leaders who advocate for change, ensure that perpetrators are held accountable and that survivors receive the needed services and justice they deserve.”

Meryl Streep opened the evening’s program, leading a traditional candle-lighting ceremony in honor of the 2012 gang rape victim Jyoti Singh, a 23-year-old medical student, who died as a result of the attack. “This moving documentary is harrowing not only for its heartbreaking, unflinching look at a young woman’s life brutally ended, but for the intimate, clear eyed look at the young men who broke her, and their defenders,” said Streep, “It forces a look at the mindset that must be made to know it has no place in the civilized world.”

Freida Pinto closed the evening with a rallying call to action: “I’m calling on girls and women, boys and men everywhere to watch this incredible film and then take action: Where you see abuse – report it. Where you witness discrimination – speak out. Let’s make sure that Jyoti Singh’s ultimate legacy is a world free from violence against women and girls.”

About Plan International
Plan International is one of the oldest and largest children’s development organisations in the world. We work in 51 developing countries across Africa, Asia and the Americas to promote girls’ and boys’ rights and lift millions of children out of poverty. Our vision is of a world in which all children realise their full potential in societies that respect people’s rights and dignity.

About Vital Voices
Vital Voices invests in women leaders who improve our world. For more than 17 years, we have partnered with women in over 140 countries to increase economic opportunity, improve political and public leadership, and to end violence against women. Our programs are built upon a foundational belief – that women are essential to progress in their communities. Our world cannot move forward without their full participation.


Anna Rotrosen
Vital Voices Global Partnership


The Truth About Cybersecurity Statistics

cyber Tuesday option 3Mark Twain famously popularized the saying, “There are three kinds of lies. Lies, damn lies, and statistics,” attributing the original thought to British Prime Minister Benjamin Disraeli. Like many utterances that stand the test of time, there is a measure of truth in suggesting that statistics can be manipulated in a way the hides, rather than discloses, the truth about a given matter. But this reality does not mean we shouldn’t carefully consider the significance and  implications of available data.

Consider, for example, PwC’s “The Global State of Information Security 2015,” which reports that in 2014 there were 42.8 million detected information security incidents. The study suggests that the number of incidents detected rose by 48 percent over 2013, and that the associated costs rose by 34 percent.

At roughly the same time as the study was released, software security group Kaspersky Lab Z.A.O. issued the results of its study, which said that there were 2.4 times the number of targeted cyber attack victims in the corporate sector in 2014 than in 2013.

The data in both these studies is valuable, but spending time wading through the data to identify where they differ likely is less valuable for the corporate executive who is concerned with building the company’s capability to effectively deal with data breaches. What is important is understanding that the cyber threat is building, and that while reducing vulnerability to breaches is critical, it is not possible to reduce the threat to the point at which a corporation is no longer vulnerable.

It follows that there is another statistic that warrants attention. Once an organization is breached, it becomes exceedingly important that the breach be discovered and repaired as quickly as possible.  How are we doing in that regard?  Security provider FireEye just released its threat report “MTrends 2015: A View From the Front Lines.” To the question of how long it takes to discover a breach, the report has this to say, “Organizations made some gains, but attackers still had a free rein in breached environments far too long before being detected — a median of 205 days in 2014 vs. 229 days in 2013.

Think about it. Right now, it takes many  companies roughly seven months before a breach is discovered and even then the way the breach is detected may come from resources outside the company. According to FireEye, “the number of organizations discovering these intrusions on their own remained largely unchanged. Sixty-nine percent learned of the breach from an outside entity such as law enforcement …”

Herein lies the implications of the data that tell us cyber attacks are increasing and that companies whose defenses are breached and who fall victim to an attack often do not discover it until well after the initial assault, leaving plenty of time for damages to multiply.

We know attacks are increasing and the costs associated with the attacks are rising. 

It is clear that the amount of time it takes to detect and remedy a breach adds cost.

It is apparent that the fact most breaches are discovered by an entity outside the company means that keeping the incident quiet is not in the cards.

Therefore, companies must accelerate their response planning and training to ensure they have the capability to manage the mandatory and discretionary disclosures and associated response activities that, done effectively, can mitigate the damage and enable the company to continue its daily operations with minimal disruption.

That’s the truth about currently available cybersecurity statistics.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

March 10, 2015

Get the Most Out of Your Interns

Best InternD.C. is ripe stomping ground for getting a foot in the door as an intern. In fact, it’s almost a rite of passage and most of us have likely started our careers in that valuable, yet somewhat awkward role, trying out professions and our professional selves. Who hasn’t seen (or been) the wannabe politico trying to pass off plots from House of Cards as their own; the ambitious overachiever dressed in her best Olivia Pope knock-off suit; or the international impresario sporting an impressive-sounded resume and over-practiced social skills?

At SDI, we have a robust intern program and know that it’s easy to overlook the individual behind the “intern” moniker and assume we know them from first impressions. This can be a costly mistake, and a disservice to each intern who walks through our doors.

Most interns contribute a lot of value, that’s why companies hire them.  With that in mind, here are a few ways you can move past first impressions and get the most out of that relationship.


  1. Learn about their interests

Spare a lunch hour and invite an intern to eat with you.  Use the time to engage them about their interests and goals for the future. It’s a small gesture that will help you learn how to best utilize their unique talents and help them feel part of the team.

  1. Be approachable

The success of our interns depends just as much on our efforts as it does on theirs. If we’re willing to be approachable and answer questions, communication lines will be open and interns will yield a higher quality of work and enthusiasm.

  1. Explain why what they do matters

As a PR intern, I hated cold calling. It was tedious, boring, and frustrating- but mostly I didn’t understand its value. Looking back on it, I believe it would’ve been more bearable had my supervisor explained why what I did mattered to the firm. I still would’ve hated it, but I would’ve understood its significance. Now, as a professional, I try to provide context to the assignments I give in the hope that my interns don’t experience the same confused frustration I endured. When they understand the importance of their work, they’ll take it more seriously and be more willing to do a good job.

  1. Give them a signature project

As professionals, we often forget the entire reason inters work for us is to get experience. While it’s important they learn the basics and pay their dues, they also need a signature project that highlights their unique skills. Whether it’s writing, video production, or social media savvy, creating a signature project based on an intern’s specific skill set will be good for the company, keep them engaged, and give them something to feature on their resumes.

  1. Be appreciative

Sure, sometimes our interns make mistakes that we need to fix. And as we sit alone in our offices, re-entering data and fuming over missing the open bar at Johnny’s Half Shell, we forget about the good work our interns do every day. A thank you can go a long way, and despite occasional mistakes, our offices would be much worse off without intern support. So let’s try to be appreciative, even when it means missing the best happy hour of the week.


D.C. wouldn’t be D.C. without the interns who overcrowd the bar and spill their drinks on our new Michael Kors pumps at Cap Lounge after work; who talk just a little too loudly about their encounters with Scott Walker at CPAC, and who create traffic jams in the Metro every morning because they can’t quite understand that they don’t need to wait until the gates close from the previous person to touch their SmartTrip card.

So rather than settle on intern stereotypes and first impressions, then dismiss them all as naïve and inexperienced college kids, we should work a little harder to encourage our interns and help them grow professionally — if for no other reason than they’ll probably be our bosses some day in the not-so-distant future.


By Nicole Tieman, SDI, March 3, 2015

Dr. Julie Brahmer, MD, Named March LUNGevity Hero for Research in Groundbreaking Field of Immunotherapy

Dr. BrahmerTo kick off Women in History month, LUNGevity Foundation announces Dr. Julie Brahmer, MD, as the March LUNGevity Hero for her work in the field of immunotherapy for lung cancer patients. Dr. Brahmer is a vocal advocate for lung cancer research, passionate doctor and professor of oncology, and innovative researcher.

Growing up in Nebraska, she watched her grandfather battle non-Hodgkin lymphoma.  As an eighteen-year-old, inspired by his struggle, she set the ambitious life goal of curing cancer. She earned a medical degree from the University of Nebraska, did her residency at the University of Utah, and completed oncology training at Johns Hopkins University. Dr. Brahmer has become an international leader in the field of immunotherapy for patients with lung cancer. She is the author of more than 90 scholarly articles and has spoken on immunology at events nationwide, including LUNGevity’s HOPE Summit. She was recently named director of the Thoracic Oncology Program at the Kimmel Cancer Center at Johns Hopkins University in January, adding to her title of Associate Professor of Oncology.

Dr. Brahmer is best known for her research related to the phase one trial of the PD-1 inhibitor nivolumab, an immunotherapy drug that has shown remarkable promise for lung cancer patients.The trial was concluded early when it met its endpoint with positive results two years ahead of schedule. [Read more…]

CEO Realities: State Sponsored Cyber Crime

cyber Tuesday option 3In March 2013, when Joseph R. Swedish became WellPoint’s CEO, he had plenty of challenges on his plate. WellPoint was competing in a rapidly changing marketplace, and had encountered a number of setbacks that had tarnished its reputation. There’s a very good chance that Mr. Swedish would not have listed the possibility of being the target of a state sponsored cyber attack as among his chief concerns.

On January 29, 2015, Anthem Inc., the newly renamed WellPoint, discovered that it was the victim of a massive data breach. The nation’s second largest health insurer may have lost upwards of 80 million health care records, including the social security numbers, birthdays, street addresses, income data, and phone numbers of its customers. Speculation about the source of the attack quickly centered on China. Now, ThreatConnect, Inc., which provides threat intelligence products and services, has released a report, “The Anthem Hack: All Roads Lead to China,” that indicts individuals and groups associated with the Chinese government in the Anthem attack. The report offers an interesting read, and serves as a chilling reminder of the ever expanding array of challenges facing corporate executives and boards. Nation states are not behind every cyber attack, but they are involved in some of the most serious and far reaching efforts to extract valuable data from corporations.

Like Joseph Swedish, most CEO’s and board members did not come to their positions expecting they would need to spend significant time and effort preparing for state sponsored cyber attacks. But the reality of today is that nation states have learned that cybercrime does pay. Relatively inexpensively, and relatively anonymously, nation states can use cybercrime as an extremely potent economic weapon. As PWC’s 2014 US State of Cybercrime survey points out, “The cybersecurity programs of US organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries.”

It is possible that at some future point, many nations may reach agreement that will establish boundaries governing acceptable nation-state practices in cyberspace. But, we are a long way from that point. For now, corporations must continue to invest the time and resources it takes to lessen their vulnerability and enhance their response capability.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security expertsskilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

March 3, 2015