Results tagged “management”

Things That Aren't Risk Assessments
In my ongoing battle against the misuse of the term "risk," I wanted to spend a little time here pontificating on various activities that ARE NOT "risk assessments." We all too often hear just about every scan or questionnaire described as a "risk assessment," and yet when you get down to it, they're not.

Continue reading here...

Incomplete Thought: The Unbearable "Bear Escape" Analogy
"You don't have to run faster than the bear to get away. You just have to run faster than the guy next to you."
The problem with this analogy is that we're not running from a single bear. It's more like a drone army of bears, which are able to select multiple targets at once (pun intended). As such, there's really no way to escape "the bear" because there's no such thing. And don't get me started on trying to escape the pandas...

Continue reading here...

Fatal Exception Error: The Risk Register
I read this article a few weeks ago and set it aside to revisit. In it, the author states that "Risk management used to be someone else's job." and then later concludes that "...in a global business arena that is increasingly unforgiving when it comes to missteps, the message is clear: Everyone--including you--now has to be a vigilant risk manager." Yes, well, sort of, maybe, kind of... hmmm...

Continue reading here...

My latest post...

3 Things I Think I Know About "Cyber" Risk

First, a note: when I say "cyber risk" here, I'm doing so knowing it's a somewhat equivocal term. I'm using it generically to be inclusive of IT risk, information risk, technical risk, and anything else along these lines that would roll-up under operational risk. More could be said, but I'll save it for another time...

Continue reading here...

There has been a lot of negative, cynical chatter lately about risk assessment and risk management. The average person doesn't understand it, and people who should understand it oftentimes throw up their hands in despair when citing examples such as the failures of Wall Street that led to the current economic mess. Unfortunately, all of this despair and cynicism seeks to throw out the baby with the bath water, as if to say that one bad apple spoils an entire orchard.

To me, I think the biggest challenges to risk management today lie in a few key areas: accountability, consequences, and formalized assessment methods. The first two areas are easy to explain. If you're doing a good job assessing and managing risk, then you can start holding people accountable for their decisions and actions. That accountability should then lead to consequences (positive or negative). Unfortunately, we live in an era where we fear failure, and thus pad ourselves, our families, our investments, and our country against suffering negative consequences. Without negative consequences, what is the point of managing risk?

My friend Wade recently posted his thoughts on how to go about building a security team. For the most part, I found his comments to be spot-on, with one major, glaring exception. At the end of his post, he starts talking about getting into planning and measurements once you have your team in place, overlooking one major area: risk management.

Now, in his defense, Wade's objective was sharing his thoughts on how to build a good security team, starting with a good security manager who actually understands things. You cannot simply put a well-connected talking head in place and expect them to be successful managing security without the necessary technical know-how to grok what is going on. That being said, choosing who to hire and when to hire them, as well as making decisions about what technologies to leverage within your security team, must be based on sound risk management principles.

When I'm talking about "risk management" here, I'm really talking from a high level, and I'm including risk assessment and measurement as part of the equation. Plain and simple, if you're charged with building a security team and managing security objectives, one of your top challenges will be prioritization of work and resources. With security, it's very easy to let oneself slip into semi-anarchic ways where you are quickly overwhelmed that all that needs to be done. In order to keep the tigers at bay you need to make use of sound decision-making practices that prioritize your workload on a few criteria.

The Value of Dissension

"The important thing is not to stop questioning. Curiosity has its own reason for existing." Albert Einstein

There seems to be a fallacy in American politics and corporate life these days that conformity and blind acceptance of the prevailing BS perspective is the apex of social evolution. Nothing could (or should) be farther from the truth. The fact of the matter is that conformity and the oppression of dissent is a fundamental threat to the very foundations of this society. It undermines creativity and innovation, causing an erosion not only in social values but also in the ability to solve problems.

"Weakness of attitude becomes weakness of character." Albert Einstein

The prevailing problem, as I see it today, is that the powers that be believe their way is the only way, and that anybody who dares question that way is in fact threatening the basis of their existence. One need only look at the examples of oppression at the RNC in St. Paul earlier this month, or to the classrooms that are oppressed by the No Child Left Behind (NCLB) Act. Taking NCLB as a prime example, we find that students and teachers are now almost solely focused on preparing for a single high-stakes test, to the degree that all "education" is rote memorization, with little or no time spent on extension.

Extension of learned concepts and facts is a vital component to being educated. It's not enough to know that 1+1=2, but to then be able to extend this to knowing that 1+2=3 and beyond. It's also the ability to see that 1+x=2 means that x=1, and then to be able to expand that to other topics, like multiplication, such that when you go shopping you can look at a package of 100, 250, and 500 napkins and calculate out the per-napkin cost to see which package is in fact the better deal (yes, I know, many grocery stores put this on the label now).

The Key Management Lifecycle

(NOTE: This blog post was updated on 3/31/08 to properly reflect the overlap of Rotation and Expiration. The original draft published incorrectly showed overlap between Rotation and Deployment, which, upon reflection, made no sense whatsoever.)

In my past life, I was involved in the review and management of cryptographic services, including helping define key management processes and requirements. Now that I'm back into the consulting world, I'm finding that the topic of key management and encryption requirements is one of interest to a fairly broad, and rapidly expanding audience. Let's face it: the PCI DSS requirement for encrypting data at rest has served as the catalyst for deployment of numerous crypto systems, creating a secondary risk scenario related to improper management of those systems and related crypto materials (keys).

Toward that end, I've put together here an overview of how I view the key management lifecycle. While I do not claim to be an expert in crypto systems, by any means, I hope that you will find my thoughts on this matter to be of use. If nothing else, I hope that you can use it to analyze crypto systems within your environment and help ensure that the amount of risk related to these systems and associated key management processes is acceptable, or can be revised to bring them inline with accepted risk tolerances.

You can lead a horse to water, but you can't make it drink.
As I've recently noted, the information security industry seems to be stagnated. We've come a long way from the old days of "security==firewall" - and yet, it strikes me that we still aren't really getting all that much done. As a consultant, it can be very frustrating to realize one's own mortality; we aren't able to play Superman in all situations. When we succeed in moving a mole hill cum mountain, we're hailed as heroes. When we get something done, our invoices/salaries get paid. Surely there must be more.

Someone recently asked on a mailing list what people thought of the impact of PCI DSS on software security (the current v1.1 of the standard has requirements to follow OWASP practices in secure coding). In thinking about the effectiveness of PCI, I concluded that it, like SOX, has reached a point of equilibrium as ineffectual. Businesses still seem to universally fail to grasp the value of most security practices, and thus resist the up-front costs required to undertake a truly transformational program.

The Danger of Intolerance in Public Fora

We've had an interesting, though sadly disparaging, thread on the cisspforum this week. I can't post any direct quotes for you, since that would be a violation of the forum guidelines, but I can talk about the issues in a generalized sense. I wish to do this because I find it indicative of some larger problems within the security industry, and in fact within American society at large.

The core point of contention in this thread was whether or not so-called "off-topic" posts were appropriate. The forum guidelines clearly prohibit content that is not related to security. A couple people argued quite vehemently that anything that diverged from that rule should be strictly omitted. This stance seems reasonable, perhaps, at first glance, but it begged a larger question: given the extremely broad subject that is security, how does one gauge whether or not a post is relevant? Moreover, who's opinion holds more weight in answering that question.

When Inflexible Meets Uncreative

It's a little after 5am local time and I've been up now for almost 2 hours. No, I'm not suffering from insomnia, nor am I trying to use myself in a sleep deprivation experiment. Rather, the security alarm in the apartment (for which I have no use) has decided to start beeping (rather loudly) about every 30 seconds. I'm sure they gave me directions for the darned thing when we moved in, but that was nearly 3 years ago, and I haven't the foggiest idea where they are.

So, the next logical thing was to call the after-hours maintenance hotline and have the on-call person paged. I say "logical" because the other option that occurred to me ranged between ripping the panel out of the wall to simply cutting the wires.

I called the maintenance hotline and the woman took my info and the nature of the problem and said she'd call maintenance. And then I waited. And waited. And waited. 30 minutes went by and no response. So, I called the hotline again, got the same woman, and she says "I'm sorry, this isn't on our pre-defined list of emergencies." !!!!!!! An alarm, for which I have no remedy, is going off at 3:30am and she won't page the on-call because it's not on her list. To make matters worse, she couldn't be bothered to call me back and tell me this. I had to wait 30 minutes and then call back to find this out. Putting aside the sheer failure in customer service, let's explore the fundamental problem here: inflexibility and a lack of creativity in finding a solution. This minimum wage drone had no motivation to help me.

Guy Kawasaki: The Art of Innovation

I was able to attend a great seminar at work today. Guy Kawasaki of Apple Mac and Garage.com fame delivered an excellent presentation titled "The Art of Innovation." Below are my notes on the presentation.



Notes on Cialdini's Influence

"Because technology can evolve much faster than we can, our natural capacity to process information is likely to be increasingly inadequate to handle the surfeit of change, choice, and challenge that is characteristic of modern life. More and more frequently, we will find ourselves in the position of the lower animals -- with a mental apparatus that is unequipped to deal thoroughly with the intricacy and richness of the outside environment. Unlike the animals, whose cognitive powers have always been relatively deficient, we have created our own deficiency by constructing a radically more complex world." (Influence, p.277)
I've recently completed Robert Cialdini's Influence: The Psychology of Persuasion (Collins Business Essentials). The book covers in detail what Cialdini has identified as the six most common methods of influence that are used or abused in compliance situations. A compliance situation would be any scenario where someone is trying to get something from someone else, either for themselves or their organization. Each of the six methods has its own chapter, which provides copious anecdotal and academic backing.

This work fascinated me from an information security perspective. One of the primary threats to average users today is from phishing and spam, which often lead to various types of fraud. These attack vectors often leverage one or more of the six methods, as I'll describe below. Following are my notes from the reading, with additional thoughts and anecdotes added as applicable.

Reflection on Facilitative Leadership

I recently (and, by recently, I mean 8 days ago) had the opportunity to attend the course Facilitative Leadership by Interaction Associates. I found the course quite interesting, and in retrospect learned more from it than I gave credit for initially. A lot of the focus in the course seemed to be on running meetings where work needed to be progressed or completed. However, thinking about it now, it really spoke to larger leadership issues that I think are very important.

Perhaps the best lesson I learned was the hierarchical relationship between Values, Mission, and Vision. Oftentimes companies get hung up on mission and mission statements, while others will go on and on espousing their values. This is, however, the first time I've really heard anyone talk about putting a vision out front around which to organize a project. As I'm beginning to do light work into cognitive psychology, this point resonated with me because it speaks to establishing a visual (mental) image toward which people can work.

1

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10