People and Process First!

   I've been reading, and hearing, lately about the ideas of client-centric or human-centric IT.  Here's a cool article and interactive infographic from GovLoop.com.  It describes a roadmap approach to get to a people-centric approach while showing examples of what some US federal agencies are doing to advance the cause.

   I like infographics!  They are fun, impactful, and this is a good one.  But, sometimes they are so busy that the simplest parts of the message gets obscured.

   It's not just infographics that obscure simple ideas.  Security and IT are experts at over-complicating things.  We get so caught up in the cool tools that we sometimes miss the main point.

   In the Security and IT world, we should always look at any project or program through the lenses of:

1. People
2. Process
3. Technology

   And definitely in that order!

Beyond the Checklist - Compliance v. Security

   SC Magazine put out a good article last week entitled Beyond the Checkbox: PCI DSS.  The article cover new revisions in the Payment Card Industry (PCI) security standard (Data Security Standard DSS).

   The point of the article is something I've been saying for years... That we can simply treat security regulatory standards as checklists.  It's not about just meeting the minimum requirements.  It's about integrating the standards into your security program.

   Now, I'm not completely dismissing checklists.  In fact, I think they have some great places within your program.  For example: server build checklists; server hardening checklists, and; an SDLC checklist.  I'm a big fan of the CIS checklists for hardened configurations.  I also like a standardized secure engineering process (or SDLC) with specific steps.

   As I've discussed here in the past, one size does not fit all.  While we can all share our processes, it's critical to tailor any process or checklist to your environment.

   But here's my main point... Compliance does not equal Security!

More Problems with Passwords???

   While I like to write about a variety of security-related topics, it seems that issues with passwords
keep coming up again and again.

   Passwords, and in particular their use for online authentication, is a mess.  I've written about this a number of times including here, here and here.  My advice for online use of passwords has been the same all along.  I've always said:

1. choose good long passwords (long sentences are just fine)
2. use a password vault, and
3. use a unique password at each online site.
4. (bonus) use 2-factor authentication for online sites when available (and complain if it isn't available yet!) 

   But... I had missed something!  There is another key thing that everyone needs to do to protect their online passwords... Don't Store Passwords in Your Browser!

A Culture of Security - The Best Infection!

   I was recently reading an interesting article at SearchSecurity entitled Staff infection: IT security education is contagious.  The article notes that security is the responsibility of every individual and that for an organization to have even a semblance of security, there has to be both buy-in and shared action by the members of the organization.

   The article, very correctly, mentions:

Even in today’s world, the general IT worker tends to view security as a barrier and a pain. It is implemented by someone else, and it makes their job harder to perform.

   This is one of the key problems caused by many security programs.  The information security industry often causes problems for itself by being difficult and inflexible.  Security is often viewed as a barrier.  Security is the group that adds extra requirements, delays projects and increases costs.  And with all of that, Security can't guarantee prevention, nor even provide a reliable probability of, an incident or breach.