Tuesday, April 30, 2013

Stuff I Say - Iterative Improvement

   This is yet another in my "Stuff I Say" series of posts.  I like to think about concepts of security management, though these ideas can certainly be applied to IT management (and management in general).  The themes of these posts are both things I think about and things I actually say.

   We've all got an incredible amount of work to do.  Most organizations have too many projects and ongoing development work, as well as too many existing and legacy tech assets to secure.  There are not enough resources to go around and the shortage of talent has been discussed in the tech media.  Prioritization is always a challenge.

   Security professionals have a difficult job.  Protecting individual and corporate data, and systems and networks is complex and often not well defined.  We don't really know when we've got it "right" (if there is a right), but we often find out the hard way when we've got it wrong!

   So, when faced with a new project, some security groups want to try to do everything at once.  We can't boil the ocean... but we have to start somewhere.  Some call it baby steps. Some call it putting one foot in front of the other.  I call it Iterative Improvement.

Monday, April 22, 2013

Stuff I Say - Do What Makes Sense

   Today I'm continuing a set of posts I started last year.  These ideas are covered in a fun talk entitled #*%! My CISO Says, covering a range of security governance and management topics.  Slides are on my slideshare page.  The first two posts are here and here.

   The idea of doing what makes sense is central to my thinking (about many things).  In security, many people base their strategies and tactics on what they read or what others are doing.  But you can't provide useful information security based on what you read in a book.  One size does not fit all.

   When we don't do what makes sense, we end up with ineffective controls (like this ineffective control from one of my favorite security pictures).

   What works in one organization does not necessarily work in another.  This can be true for a variety of reasons including differing regulatory environments, organizational culture and kinds of assets/information.  This is why I've never liked the phrase, or idea of, "best practices".  I prefer "good practices" (more on that some other time...).

   It's easy to say we want to do what makes sense.  But how do we put that into practice in our organizations?

   Here are 2 considerations:

Risk Management approach.  Rather than using strategies and practices from a book, we need to understand a number of things about our organization including:
  • what "stuff" do we have?
  • what stuff do we need to protect?
  • what threats do we know of?
  • to what threats are we vulnerable?
  • what is the potential impact if these threats manifest?

   Asking these, and subsequent, questions can help lead to a better understanding of the environment

   Then... Seek out and destroy policies/practices that do not add value!  Consider:
  • ineffective controls - find them and get rid of them!  And, if you do remove a control, make sure that you let the users know!
  • annoyances that effect people's perception of security - convenience v. security is always a trade-off, but your controls must take into account people's work practices
  • what makes work harder - security and IT must support the business.  If complying with controls negatively impacts the business you may find your program overruled.
  • overly strict practices can cause people to try to circumvent controls to get things done.
   This doesn't mean that the security organization allows a free-for-all.  My point is that by considering how users need to use the systems, examining alternatives, and working with your business partners, you can come up with a set of controls that protect systems and data, meet regulatory requirements AND allow people to get their work done.

   Can you think of ineffective or unnecessary controls in place at your organization?  How have you partnered with business users to come up with controls that meet all needs?

Tuesday, April 16, 2013

Bring It On Home

   There have been a number of discussions about the value of Security Awareness training floating around the net.  Some say that even with training, people will still fall for phishing attacks and social engineering, and that networks and servers will still get hacked.  I wrote about this a while back.

   I think there is great value to awareness training.  To me, the content and delivery are key considerations.  If the security messages are the same old, rehashed information then it will be hard to get people to pay attention, care and retain information.  No one wants to see yet another dry review of an organization's security policies.

    But there is a better way...

Tuesday, April 9, 2013

Keeping Security Simple

   This week I did a national webcast with Capella University.  The topic was the Insider Threat.  But my take on this is a bit different than what's usually said on this subject.  I call it "The Accidental Insider".  You can see my slides here.

   I was talking about how I think that accidents are the major cause of breaches.  I've talked a bit about how important it is to keep things simple here.

   If you're an information security professional, hopefully you are familiar with the Verizon Data Breach Investigations Report (DBIR).  You can see their page for the latest report.

   One of the interesting things they point out in the report is summarized in this table:

Tuesday, April 2, 2013

My Top 4 Everyday Apps

   I don't know about you, but I was not happy when Google announced that it would be pulling support of Google Reader on July 1.  Reader is tool I use all the time.  I have the RSS toolbar extension on Firefox on my computers set to default to reader so I can quickly add new sources to my feeds.  I regularly check reader on my computers and use the app on my mobile devices.

   So I was looking for a reader replacement.  CIO Online put together a nice list of alternatives.  After reviewing that list, I decided that feedly seemed to be the app that best met my needs.  I downloaded the feedly add-on for my browser(s) as well as the app for my mobile devices.  And that got me thinking... do I need the app on my mobile devices?  After all, mobile devices tend to become clogged with too many apps, and mine are no exception.

   And that got me thinking... what mobile apps am I really using?