Monday, July 21, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of July 21, 2014


Cyber Security News of the Week

 From our friends at Citadel Information Group


Cyber Attack

Chinese Hackers Extending Reach to Smaller U.S. Agencies, Officials Say: WASHINGTON — After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies. The New York Times, July 15, 2014
Why were this company’s computers attacked millions of times this year? Algae: About 16 months ago, a Florida-based biofuel company called Algenol noticed that its Internet service was slowing down. In checking that out, Jack Voth, Algenol’s information technology chief, stumbled on something odd: a telnet connection to its videoconference camera from an Internet Protocol address in China, a country where Algenol has never sought to do business. The Washington Post, July 12, 2014
Attack Campaign Targets Facebook, Dropbox User Credentials: The goal of the attackers is not fully clear but the credential theft could set up sophisticated targeted attackers. DarkReading, July 11, 2014

Financial Cyber Security

New banking malware ‘Kronos’ advertised on underground forums: A new Trojan program designed to steal log-in credentials and other financial information from online banking websites is being advertised to cybercriminal groups on the underground market. PCWorld, July 14, 2014

Cyber Warning

Vulnerability exposes some Cisco home wireless devices to hacking: Nine of Cisco’s home and small office cable modems with router and wireless access point functionality need software updates to fix a critical vulnerability that could allow remote attackers to completely compromise them. PCWorld, July 17, 2014
Beware Keyloggers at Hotel Business Centers: The U.S. Secret Service is advising the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in a bid to steal personal and financial data from guests. KrebsOnSecurity, July 14, 2014
DropCam Vulnerable To Hijacking: Researchers at DEF CON to demonstrate flaws in a popular WiFi video monitoring system. DarkReading, July 14, 2014

Cyber Security Management

SEC Playing Bigger Role in Cybersecurity: Besides clarifying disclosure requirements, the agency is prompting companies to take proactive steps. JDSUPRA, July 14, 2014

Cyber Security Management – Cyber Defense

GOOGLE SET TO CHANGE MALWARE, PHISHING WARNINGS FOLLOWING STUDY: In the not too distant future, Google will change the way it displays malware and phishing warnings in its Chrome browser. ThreatPost, July 15, 2014

Cyber Security Management – Cyber Update

Java Update: Patch It or Pitch It: Oracle today released a security update for its Java platform that addresses at least 20 vulnerabilities in the software. Collectively, the bugs fixed in this update earned Oracle’s “critical” rating, meaning they can be exploited over a network without the need for a username and password. In short, if you have Java installed it is time to patch it or pitch it. KrebsOnSecurity, July 15, 2014

Securing the Village

Meet ‘Project Zero,’ Google’s Secret Team of Bug-Hunting Hackers: When 17-year-old George Hotz became the world’s first hacker to crack AT&T’s lock on the iPhone in 2007, the companies officially ignored him while scrambling to fix the bugs his work exposed. When he later reverse engineered the Playstation 3, Sony sued him and settled only after he agreed to never hack another Sony product. Wired, July 15, 2014

National Cyber Security

Justice Department’s New Crime Chief Targets Cyber Cases: WASHINGTON—International organized crime groups, lured by the prospect of thefts that can net hundreds of millions of dollars, increasingly are turning to cybercrime, said the new head of the Justice Department’s criminal division. The Wall Street Journal, July 14, 2014

Cyber Misc

How Russian Hackers Stole the Nasdaq: In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq (NDAQ). It looked like malware had snuck into the company’s central servers. There were indications that the intruder was not a kid somewhere, but the intelligence agency of another country. More troubling still: When the U.S. experts got a better look at the malware, they realized it was attack code, designed to cause damage. Bloomberg, July 17, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, July 20, 2014 on Facebook


Weekend Vulnerability and Patch Report, July 20, 2014


Important Security Updates

AVG Free Edition: AVG has released version 2014.0.4744 of its 32 bit Free Edition. Updates are available on AVG’s website.
Dropbox: Dropbox has released version 2.10.2 for its file hosting program. Updates are available at Dropbox’s website. [See Citadel's warning below]
Google Chrome: Google has released Google Chrome 36.0.1985.125 for Windows, Mac, Linux, and Chrome Frame to fix at least 2 moderately critical unpatched vulnerabilities in previous versions. Updates are available from within the browser or from Google Chrome’s website.
Google Chrome for Android: Google has released version 36.0.1985.122 of Chrome for Android to fix at least 2 unpatched vulnerabilities in previous versions. Updates are available through the program or device.
Oracle Java: Oracle has released Java SE 7 Update 65 to fix at least 20 vulnerabilities, some of which are highly critical. The update is available through Windows Control Panel or Java’s website. [See Citadel's recommendation below]

Current Software Versions

Adobe Flash  14.0.0.145 [Windows 7: IE]
Adobe Flash  14.0.0.145 [Windows 7: Firefox, Mozilla]
Adobe Flash  14.0.0.145 [Windows 8: IE]
Adobe Flash  14.0.0.145 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.07
Dropbox 2.10.2 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 30
Google Chrome 36.0.1985.125
Internet Explorer 11.0.9600.17126
Java SE 7 Update 65 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]
Skype 6.18.0.105

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco Multiple Products: Secunia reports that Cisco has released updates for its SPA300 / SPA500 Series, WebEx Meetings Server and Meeting Center, Adaptive Security Appliance (ASA), Unified Contact Center Express, Unified Communications Manager, Wireless Residential Gateway, Identity Services Engine (ISE), Unified Contact Center Enterprise, multiple Wireless Residential Gateway products, and others. Apply updates. Secunia report several unpatched vulnerabilities in Cisco Unified Communications Domain Manager (CUCDM), Business Edition 3000 and others. No official solution is available.
Citrix NetScaler: Secunia reports that Citrix has released updates for its NetScaler and NetScaler Gateway to fix 2 vulnerabilities. Update to version 10.1-126.12.
Citrix XenDesktop: Secunia reports that Citrix has released updates for it’s XenDesktop to fix a vulnerability reported in the following products and versions: Citrix XenDesktop 5.6 Common Criteria, Citrix XenDesktop 5.6 x32, Citrix XenDesktop 5.6 x64, Citrix XenDesktop 7, Citrix XenDesktop 7.1, Citrix XenDesktop 7.5. Apply updates.
Citrix XenServer: Secunia reports that Citrix has released updates for it’s XenServer to fix 2 moderately critical vulnerabilities and a security issues.  Apply updates.
Oracle Multiple Products: Both Secunia and US-Cert report that Oracle has released updates to fix more than 100 vulnerabilities, some of which are highly critical, for Oracle Linux for java-1.7.0-openjdk, Solaris, Hyperion Provider Services, Hyperion Common Admin, Hyperion Business Intelligence Plus, Hyperion Essbase, Siebel CRM, Communications Messaging Server, Secure Global Desktop, Agile Product Collaboration, E-Business Suite, BI Publisher, BI Publisher, PeopleSoft Enterprise Supply Chain Management (SCM), Retail Returns Management, PeopleSoft Enterprise Financial Management Solutions (FMS), PeopleSoft PeopleTools, PeopleSoft Enterprise Learning Management, Glassfish Communications Server, Glassfish Server, Retail Back Office and Oracle Retail Central Office, JDeveloper, WebLogic Server, WebCenter Portal, iPlanet Web Server, iPlanet Web Proxy Server, Traffic Director, Hyperion Enterprise Performance Management Architect, Database, MySQL Server, Transportation Management, VM VirtualBox, JRockit, ISC BIND included in Solaris, and others. Apply updates.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.

Monday, July 14, 2014

Cyber Security News, Education and Vulnerability Patch Report for the Week of July 21, 2014



Cyber Security News of the Week

 

From our friends at Citadel Information Group


Cyber Crime

BitBeat: Phishing Scam Tries to Lure In Bitcoin Bidders: – A scam artist tried to swindle a group of potential bidders in the June auction of 30,000 bitcoins by the U.S. Marshals Service, and appears to have scored a small win with at least one of them. The Wall Street Journal, July 3, 2014

Cyber Privacy

Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee: The Senate Select Committee on Intelligence voted Tuesday to approve a controversial cybersecurity bill known as the Cyber Information Sharing Act (CISA). The bill is intended to help companies and the government thwart hackers and other cyber-intrusions. The bill passed by a 12-3 vote, moving it one step closer to a floor debate. Forbes, July 9, 2014

Financial Cyber Security

Why Information Sharing Isn’t Working: Tim Pawlenty, CEO of the Financial Services Roundtable, says the only way to ensure adequate cyberthreat information sharing is through federal legislation that would furnish liability protection and other incentives. BankInfoSecurity, June 25, 2014
FFIEC Launches Cybersecurity Web Page, Promotes Awareness of Cybersecurity Activities: WASHINGTON –The Federal Financial Institutions Examination Council (FFIEC) today launched a Web page on cybersecurity (www.ffiec.gov/cybersecurity.htm).The Web page is a central repository for current and future FFIEC-related materials on cybersecurity. FFIEC, June 24, 2014

Cyber Warning

Crooks Seek Revival of ‘Gameover Zeus’ Botnet: Cybercrooks today began taking steps to resurrect the Gameover ZeuS botnet, a complex crime machine that has been blamed for the theft more than $100 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it. KrebsOnSecurity, July 10, 2014
HARD-CODED PASSWORD VULNERABILITY PLAGUES SOME NETGEAR SWITCHES: A vulnerability in Netgear-branded ethernet switches could give an attacker full access to the hardware, including the ability to log into the device and execute arbitrary code. ThreatPost, July 7, 2014
The Rise of Thin, Mini and Insert Skimmers: Like most electronic gadgets these days, ATM skimmers are getting smaller and thinner, with extended battery life. Here’s a look at several miniaturized fraud devices that were pulled from compromised cash machines at various ATMs in Europe so far this year. KrebsOnSecurity, July 7, 2014
Funeral Announcement: Origins: In January 2014, Internet users began receiving e-mails from various funeral homes with attention-getting subject lines such as “Passing of your friend,” messages that informed recipients a “dear friend” had passed away and invited them to attend that person’s upcoming funeral or memorial service. The messages provided a hyperlink (on the word “here”) for readers to click in order to obtain detailed information about the date and location of the service. Snopes, January 24, 2014

Cyber Security Management

Strategic Security: Begin With The End In Mind: The trouble with traditional infosec methodology is that it doesn’t show us how to implement a strategic security plan in the real world. DarkReading, July 11, 2014
The CISO-centric Information Security Triad: What is the information security triad? Just about everyone knows the answer to this question is CIA – Confidentiality, Integrity, and Availability. Security professionals, service providers, and technology vendors are responsible for these three infosec pillars in one way or another. NetworkWorld, July 10, 2014
Managing Cyber Risk: Job #1 for Directors and General Counsel: Each year, FTI Consulting and NYSE Governance Services survey public company directors and general counsel about the legal and governance issues that concern them the most. FTI Journal, July 2014
Rogers: Cybersecurity is the ‘ultimate team sport’: Thank you very much for taking the time from your very busy days to focus on a topic that I think is of critical importance to us as a nation: this idea of how do we maintain security in a cyber arena in a world where cyber continues to grow in importance and, at the same time, the level of vulnerability that is present within our cyber systems has probably never been greater. So that’s quite a challenge for anybody. Federal Times, July 8, 2014
Ponemon: Data Breach Costs Rising: On the day Target’s CEO resigned in the aftermath of a massive data breach, the Ponemon Institute issued its 2014 Cost of Data Breach Study, which Chairman Larry Ponemon says helps explain why CEOs should be more involved in breach preparedness and response. BankInfoSecurity, May 5, 2014

Cyber Security Management – Cyber Defense

Black Hat USA 2014: Third-Party Vulns Spread Like Diseases: Understanding the impact of vulnerabilities in libraries and other components. DarkReading, July 7, 2014

Cyber Security Management – Cyber Update

APPLE UPDATES OSX BLACKLIST FOLLOWING FLASH VULNERABILITY: Apple acknowledged on Thursday that it has updated its OSX plugin blacklist to reflect a critical vulnerability in Adobe Flash made public earlier this week. ThreatPost, July 11, 2014
Microsoft, Adobe Push Critical Fixes: If you use Microsoft products or Adobe Flash Player, please take a moment to read this post and update your software. Adobe today issued a critical update that plugs at least three security holes in the program. Separately, Microsoft released six security updates that address 29 vulnerabilities in Windows and Internet Explorer. KrebsOnSecuriy, July 8, 2014

Cyber Underworld

The Hazards Of Probing The Internet’s Dark Side: Late last year, hackers breached Target’s data security and stole information from millions of credit cards. Brian Krebs, who writes about cybercrime and computer security for his blog, Krebs on Security, broke the story. A few days later, he broke the story of a credit card breach at Neiman Marcus. NPR, July 8, 2014

Cyber Espionage

Chinese Hackers Pursue Key Data on U.S. Workers: WASHINGTON — Chinese hackers in March broke into the computer networks of the United States government agency that houses the personal information of all federal employees, according to senior American officials. They appeared to be targeting the files on tens of thousands of employees who have applied for top-secret security clearances. The New York Times, July 9, 2014
Chinese Attackers Targeting U.S. Think Tanks, Researchers Say: Government-backed group “Deep Panda” compromised “several” nonprofit national security policy research organizations, CrowdStrike says. DarkReading, July 7, 2014

Critical Infrastructure

Study: Most Critical Infrastructure Firms Have Been Breached: A new Ponemon Institute study finds 70% of critical infrastructure companies have been hit by security breaches in the last year, but cyber security programs are still a low priority. DarkReading, July 10, 2014

Cyber Misc

Scammers, hackers and spies hit campaign trail: Political campaigns are hotbeds of criminal activity and mischief — just not in the way you think. Politico, July 7, 2014

Cyber Sunshine

Global Law Enforcement, Security Firms Team Up, Take Down Shylock: A la GOZeuS, an international, public-private collaboration seizes a banking Trojan’s command and control servers. DarkReading, July 10, 2014
Feds Charge Carding Kingpin in Retail Hacks: The U.S. Justice Department on Monday announced the arrest of a Russian hacker accused of running a network of online crime shops that sold credit and debit card data stolen in breaches at restaurants and retailers throughout the United States. KrebsOnSecurity, July 8, 2014

Cyber Calender

ISSA-LA July Lunch Meeting: Attack Trends, the Need for Intelligence. Integration and a Prevent-Based Security Posture: This presentation will review recent trends associated with malware, advanced threats and risky applications. It will also highlight security administrator views toward their ability to identify, analyze and prevent security breaches. The data points associated with these findings identify a clear need for information security intelligence that is rich in content and also actionable. Security administrators must be able to integrate intelligence into their security controls in near real-time to prevent evolving attacks. The session will also raise the need for security practitioners to consider switching their security postures from detect to prevent. ISSA-LA, Event Date: July 16, 2014

share on TwitterLike Weekend Vulnerability and Patch Report, July 13, 2014 on Facebook

Weekend Vulnerability and Patch Report, July 13, 2014


Important Security Updates

Adobe Flash Player: Adobe has released version 14.0.0.145 to fix at least 3 moderately critical vulnerabilities in its Flash Player for the Windows and Mac versions. Updates are available from Adobe’s website. Updates are also available for Adobe AIR.
Apple iTunes: Apple has released version 11.3 of iTunes for Windows (32-bit). Updates are available from Apple’s website.
Avira Antivirus: Avira has released version 14.0.5.464 of its free Antivirus. Updates are available from Avira’s website.
Malwarebytes Anti-Exploit: Malwarebytes has released version 1.03.1.1220 of its free Malwarebytes Anti-Exploit. Updates are available from Malwarebytes’ website.
Microsoft Patch Tuesday: Microsoft released several updates addressing at least 29 security vulnerabilities, some of which are highly critical, in Windows, Office, Internet Explorer, and more. This release of updates specifically fixes at least 24 highly critical vulnerabilities in Internet Explorer. Updates are available via Windows Update or from Automatic Update.
Skype: Skype has released Skype 6.18.0.105. Updates are available from the program or Skype’s website.
TechSmith Corporation SnagIt: TechSmith has released version 12.1.0.1322 for SnagIt. Updates are available from TechSmith’s website.

Current Software Versions

Adobe Flash  14.0.0.145 [Windows 7: IE]
Adobe Flash  14.0.0.145 [Windows 7: Firefox, Mozilla]
Adobe Flash  14.0.0.145 [Windows 8: IE]
Adobe Flash  14.0.0.145 [Macintosh OS X: Firefox, Opera, Safari]
Adobe Reader 11.0.07
Dropbox 2.8.4 [Citadel warns against relying on Dropbox security. We recommend files containing sensitive information be independently encrypted with a program like Axcrypt; encryption keys be at least 15 characters long; and the Dropbox password be at least 15 characters long and different from other passwords.]
Firefox 30
Google Chrome 35.0.1916.153
Internet Explorer 11.0.9600.17126
Java SE 7 Update 60 [Citadel recommends removing or disabling Java from your browser. Java is a major source of cyber criminal exploits. It is not needed for most internet browsing. If you have a particular web site that requires Java, Citadel recommends using a two-browser approach to minimize risk. If you normally browse the Web with Firefox, for example, disable the Java plugin in Firefox and use an alternative browser — such as Chrome, IE9, Safari, etc — with Java enabled to browse only the sites that require it.]
QuickTime 7.7.5
Safari 5.1.7 
Safari 7.0.4 [Mac OS X]
Skype 6.16.0.105

Newly Announced Unpatched Vulnerabilities

None
For an updated list of previously announced Unpatched Vulnerabilities, please see the resources section of Citadel’s website.

For Your IT Department

Cisco IOS XR: Secunia reports that Cisco has released updates for its IOS XR to fix a vulnerability. Update to version 5.1.3.9i.BASE or 5.2.2.11i.BASE.
Novell iManager: Secunia reports that Novell has released updates for its iManager to fix reported vulnerabilities in previous versions.

If you are responsible for the security of your computer, Citadel’s Weekend Vulnerability and Patch Report is for you. We strongly urge you to take action to keep your workstation patched and updated.
If someone else is responsible for the security of your computer, forward our Weekend Vulnerability and Patch Report to them and follow up to make sure your computer has been patched and updated.
Vulnerability management is a key element of cyber security management. Cyber criminals take over user computers by writing computer programs that “exploit” vulnerabilities in operating systems (Windows, Apple OS, etc) and application programs (Adobe Acrobat, Office, Flash, Java, etc). When software companies find a vulnerability, they usually issue an update patch to fix the code running in their customer’s computers.
Citadel publishes our Weekend Vulnerability and Patch Report to alert readers to some of the week’s important updates and vulnerabilities. Our focus is on software typically found in the small or home office (SOHO) or that users are likely to have on their home computer. The report is not intended to be a thorough listing of updates and vulnerabilities.
Copyright © 2014 Citadel Information Group. All rights reserved.


Thursday, July 10, 2014

Organizational Change Book Recommendations


Organizational Change
Last week I put a question in front of several of my LinkedIn Groups.  Thank you very much if you contributed answers.  Whether you contributed or not, here is a resource that I hope you’ll find to be helpful when you’re facing Organizational Change issues and you need a little help.
My LinkedIn Group Question:
One of the CISOs whom I am coaching asked me for a recommendation on a book that deals with "Organizational Change". Has anyone read a book on this subject that you found to be helpful personally?

  • Hi Jeff, I am currently getting my masters at Northwestern in organizational change. If you're interested in a more tactical "how to" type of read I would recommend "Managing Transitions" by William Bridges. If you're looking for a collection of great reads that paint a picture of successful (and not so successful) massive organizational change efforts I would pick up HBR's 10 Must Reads on Change Management. I hope this is helpful!
  • Kotter's book Leading Change is THE textbook on change.
  • Three books that might meet your needs 
  1. http://books.google.com.au/.../Management_Redeemed.html
  2. https://books.jbhifi.com.au/.../delivering-on-the.../261608
  3. http://www.amazon.com/Free-Perfect-Now.../dp/068486312X
  • I found "The Reinventors: How Extraordinary Companies Pursue Radical Continuous Change" by Jason Jennings to be an excellent read for a strategic standpoint. From a more tactical perspective for the CISO, (as mentioned previously) "The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win" by Kim, Behr, and Spafford is a great read that demonstrates first-hand the possibilities of organizational maturity through embracing change.
  • Maverick by Ricardo Semler. I've bought many copies to hand out to colleagues over the years.
  • Just came across this "Tolstoy on Change Management" interesting ... http://blogs.wsj.com/cio/2014/07/04/what-your-ceo-is-reading-tolstoy-on-change-management-paul-valley-zombies/?mod=WSJBlog
  • I found "Leading Change" to be simile and powerful .... if there was one book to recommend, I would suggest Leading Change by Kotter
  • I agree with Rick. It depends what your CISO wants to get out of this. It is one thing leading change but another knowing what needs to change. Nicholas suggested Patrick Lencioni's books and I think one of his latest, which is not a fable, is Organizational Health. It is much easier managing change when the goals are clear and understandable.
  • Sadly watching many larger organizations they seem to think this is done by removing large numbers of junior staff and brining in new blood. In doing so the senior management throw out and taint their talented workers rather than dealing with their own unhealthy management policies.
  • As shown in many of the examples in Jim Collin's Good to Great; the company leader wanting to bring about change has to know the desired goal before they work out what needs to change. This is not always found in a book.
  • There are many good books out there but it depends on what he / she is looking to get out of of the read. If it is just a high level understanding of how change works in an organization through a psychological lens, then SWITCH is good. If he / she is looking for how to lead change from a business perspective then LEADING CHANGE by John Kotter is great. If the goal is to understand change from a technical lens then I guess some of the other recommendations above are good.
  • The Quantum Age of IT by Charles Araujo provides a compelling vision on why organizations need to change and proposes what the future will look like. You can read the comments on Amazon. http://www.amazon.com/Quantum-Age-The-Charles-Araujo/product-reviews/1849283753/ref=dpx_acr_txt?showViewpoints=1
  • IT Savvy is a very good read, I bought 3 hard copies of the book in succession, because my colleagues would typically sneak into my office and "borrow the book", without owning up to such. Nonetheless That I how I know its a good read, because the copies were always swiped.
  • I recently had the privilege to be part of a leadership team that drove a successful business transformation program. Books we used as frameworks that I highly recommend are : Five Dysfunctions of a Team, Good to Great, The Advantage, and IT Savvy.
  • This book is also very helpful. The Theory and Practice Of Change Management, John Hayes : Palgrave Publishers Ltd,
  • I completed an MBA (Management Specialization) in April 2014, in it I did a Module called Managing Corporate Change, I found this book very useful. Strategic Organizational Change, Building Change Capabilities In Your Organization, Ellen R. Auster, Krista K. Wylie; Michael S. Valente – Palgrave Macmillan, 2005
  • The IBM Global Making Change Work Study examines how organizations can manage change and identifies strategies for improving project outcomes. It's based on real life experience and best practices. It's free and an easy read.
  • The Fifth Discipline is a great book on organizational change and learning. Not a classic change book, but a brilliant one to get thinking about your organization in a different way.
  • great book on “do’s and don’ts” is Hard Facts, Dangerous Half-Truths, and Total Nonsense by Jeff Fpeffer and Robert Sutton.  Change can be good, but often creates more harm than good. The core focus of the book is Evidence Based Management, but is totally applicable to change. The book includes a chapter “Change or Die?”, which hits the subject right on. This book will help you avoid the pains of incorrect-change.
  • Managing Transitions - Making the most of change by William BridgesIt's an ultimate book on managing changes and transitions in the organization. The change is the only thing constant these days!
  • Switch, by Chip and Dan Heath is a great read.
  • Take a look at "Scaling up Excellence" by Bob Sutton and Huggy Rao. It is packed with practical approaches to managing and leading change.
  • x2 for Tribal Leadership and Covey's leadership book. Both are excellent reading
  • The Phoenix Project - Gene Kim is a co-author
  • Hey Jeff! Many good suggestions in the replies, but I felt that I needed to emphasize the Dr. Kotter references. I've had the pleasure of meeting him, and working with him and his team, on several changes initiatives. Solid approach based on solid research. Here's a direct link to save you a search: http://www.kotterinternational.com/our-principles/changesteps
  • For change management, John Kotter is hard to beat. A good start is Our Iceberg Is Melting, then continue with any other of his books. I'm currently reading his XLR8, good so far.
  • Leading Change http://www.barnesandnoble.com/listing/2680535545450?r=1&cm_mmc=GooglePLA-_-TextBook_NotInStock_26To75-_-Q000000633-_-2680535545450
  • The Leadership Challenge http://www.amazon.com/The-Leadership-Challenge-4th-Edition/dp/0787984922/ref=sr_1_2?ie=UTF8&qid=1404490007&sr=8-2&keywords=leadership+challenge+book
  • Try this one. Organisational Change 4th Ed. ISBN 978-0273716204 Authors are Senior and Swales
  • I would recommend the Patrick Lencioni books. They are concise and very accessible - all but 1 or 2 of them are written as a modern fable, making them enjoyable. The author does not waste words - if it only takes 100 pages to make his points, that's all he writes (you will not find 300 pages of filler).
  • Especially helpful regarding organizational change:
  1. The Five Dysfunctions of a Team
  2. The Four Obsessions of an Extraordinary Executive
  3. Death by Meeting
  4. The Five Temptations of a CEO
  5. Silos, Politics, and Turf Wars
  • You can read any one of them in weekend (and enjoy it). And I believe all of them are available unabridged on audible.com to make for easy listening during a commute.
  • Hey Jeff, This is an interesting question as it has made me stop and ponder for a while. Call me old school, but I think the book that influenced me the most regarding change management is Out of Crisis by the guru himself Dr W Edwards Deming. On the surface, its a story of quality, but the subtext is that of empowering people to create great things. And that brings me to leadership - because any change program is doomed without a good leader. Your client needs to read - The Three Levels of Leadership by James Scouller. This is brilliant because it focuses on what private, personal and public traits you need to lead change. Change management is such a beige term - isn't it. Why not focus on change leadership - leading change - driving towards a shared vision.
  • Please check the following resource - http://www.mindtools.com . It has a great collection of suggestions, reads, tools, exercises, etc. on various management topics
  • I would highly recommend two books, "ADKAR and Change Management- by Jeffrey M. Hiatt "
  • Your candidate has a lot of very useful reading above .. I loved working through some of these books, thought some lacked fresh ideas, and have enjoyed other titles not listed here. So I won’t add more titles to this esteemed list, but I would just point out that organisational change is driven from experience and is as much an "art" as a "science", framed around soft goals and hard targets. 
  • Unless your candidate has a few weeks of spare time and is an avid speed reader, with strong project management, communication skills, a strategic mind with a bent for Van Gough .. best call in someone with experience is my advice.
  • Jeff, In addition to Kotter's "Leading Change" bestseller, I also recommend, "The Change Monster: The Human Forces that Fuel or Foil Corporate Transformation," by Jeanie Daniel Duck. The book describes a taxonomy for evaluating where you are in the change process: Stagnation (essentially stuck in a rut that isn't working); Preparation (getting people ready for making an important change); Implementation (figuring out and announcing the details of what to do); Determination (actually carrying through on the plans and new commitments); and Fruition (using the new success to strengthen the foundations of future progress). Keep in mind, however that -- regardless of the methodology applied -- organizational change initiatives fail to achieve expectations more often than not. Success, in virtually all instances, depends on evangelistic sponsorship from the top-down, and relentless persistence through all the obstacles and would-be barriers that inevitably arise to frustrate he (usually) longer-than-expected journey.
  • In 1998 a great little book on this topic appeared, "Who Moved My Cheese". It's by Spencer Johnson. It's written in as a parable or a fable. It's a very quick read, but it really provides a great perspective on change and how to personally best capitalize on it.
  • Tribal Leadership
  • The Speed of Trust by Stephen M.R. Covey. It's more around the core values and principles required in a high performing, high velocity organization than it is about tactical change. But, tactical execution is secondary to the key principles underlying all change. This book is all about:  Trust = Character * Competency = (Integrity + Intent) * (Skills + Results)
  • Hi Jeff:  Definitely Leading Change by John P. Kotter.
  • Sounds like you have more than enough reading to do, but one more that I think helps transform companies is called Mastering the Rockefeller Habits. While the book applies many of its concepts to growing companies (in terms of size and revenue) I think the concepts have a broad application in establishing priorities and rhythms to help the company and its employees target specific goals in unison. It tasks individuals with understanding how they are spending their time in support of their personal and company-wide priorities and goals.
  • I second Kenneth Smith's recommendation for The Phoenix Project. Depending on your CISO's mindset, that book's treatment of security in the context of organizational change could be a real eye opener.
  • Thought I would throw one more out for you. With most organizational change comes new supervision and managers that have been promoted up from the ranks. A great book for that change is “The First 90 Days” by Michael Watkins. It helps guide those transitioning from single contributor to a leadership role. How you manage your transition in the first 90 days can position you for success or set you up for failure. Hit the ground running………
  • I personally like "Mastering The Rockefeller Habits" by Verne Harnish.
  • " Good to Great " by Jim Collins is a great read for leading by example which also touches upon the the organization change dimension. 
  • "The Five Dysfunctions of a Team" by Patrick Lencioni is a great book.
  • I must add one more to the list that has been very helpful in personal change to position yourself for success. The 7 Habits of Highly Effective People by Stephen Covey......
  • Digging a bit deeper into my bookshelf, I'm reminded of these very good works as well: "Organizational Culture and Leadership," by Edgar H. Schein (Aug., 2010), "Predictably Irrational, the Hidden Forces That Shape Our Decisions," by Dan Ariely (Apr., 2010), and
    "It's All about Work. Organizing Your Company to Get Work DonePaperback, by Christopher R. Clement and Stephen D. Clement (May 2013). Each of these are reviewed on mazon.com. The first deals mainly with leadership, the second with human behavior, and the last one with organizational structure. Hope this helps. 
  • "Innovative People Must Be Stopped" by David Owen (PhD).
    The book details how innovation which is implementable new change which brings desired benefits is constrained at various levels levels and once understanding these, how counter strategies can be developed to circumvent these innovation constraints i.e. Strategic Innovation.  CISO's should bring about Strategic Innovation as regards Information Security Governance, hence my recommendation.
  •  @Jeff of course as they tend to overlap. A good read that touches on all aspects not just the academic aspects but practical execution is "Best Practices in Organization Development and Change: Culture, Leadership, Retention, Performance, Coaching"
  • Sniff and Scurry in "Who Moved my Cheese" is a classic along...
  • "Change is great….you go first"
  • Hello Jeff,   I've read several of the books mentioned here and have used The First 90 Days as a guide when I started with a new company. While the books are good, they're no substitution for a compelling change management methodology. When I worked as an IT Director at Pfizer, I supported the Organizational Training & Development Director. We flew to Ann Arbor Michigan to become certified in the Accelerated Implementation Methodology, a proprietary organizational change management approach developed and perfected by Implementation Management Associates, Inc. (http://www.imaworldwide.com). It is such a good process that we had managers trained as trainers.





SecurityRecruiter.com's Security Recruiter Blog