Recently in leadership-management Category

Unless you were off-planet last week, you've probably heard about President Obama's latest Executive Order, directing various agencies to step up their game on "critical infrastructure" cyber security. As part of this directive, NIST will be building a new framework oriented toward critical infrastructure that will help document processes, standards, best practices, etc, etc, etc. Gah!

The 1980s called and they want their lousy idea back. The 1990s also called, but they just repeated the prior point. The 2000s called and said "What is this, the '80s?!"

If frameworks were going to get the job done, then the job would be done. If securing data and operations was really such a simple task, then we would not be having this conversation, nor would we be reading reports, like Mandiant's big "APT1" blow-out from yesterday (you know, the big shocker that revealed that China is, in fact, hacking everyone... ok, not a shocker... or even really news... since we pretty much already know all that, right?).

If you've not had the opportunity to read the recent Dan Geer / Jerry Archer IEEE S&P Cleartext column titled "Stand Your Ground," then please go read it now. It's only a single page, two-column article and it won't take you long. It is, hands-down, one of the best summaries of contemporary, leading-edge thinking on the state of infosec that I've seen.

Finished? Cool... let's continue...

The future of security is that it shouldn't have a future; at least, not as its own dedicated profession. Rather, security is merely an attribute of operations or code, which is then reflected through appropriate risk management and governance oversight observations and functions. That we still have dedicated "security" functions belies the simple truth that creating separation ends up causing as many problems as it solves (if not more).

This is not a new line of thinking for me. Nearly 3 years ago I asked whether or not a security department was needed. At the time, I was working as a technical director of security for a SMB tech firm, and as the first dedicated security resource, I had concluded that building a team wasn't going to be fruitful. Rather, it made sense to jump right past the "dedicated security team" phase and go right to the desired end-state.

InfoSec vs. Fast Food Nation

Many problems in infosec trace back to human activities, and are consequently reflective of larger societal issues, which have been often represented by the "fast food nation" and "age of ignorance" notions. Sadly, these characterizations are true, as we see now played out with the BYOD movement, so-called "consumerization" of IT, and difficulties keeping control of data.

What got the wheels turning for me was an article I read back in March on The New York Review of Books blog titled "Age of Ignorance". In the article, they pointedly lament what seems to be a rush toward idiocracy and away from a more golden time where intelligence, academia, and open-ended R&D were considered positives. In fact, tying this back into the security meme of my blog, they marvel at even the most fundamental failing of our current society to even know our own basic histories, pinned largely on extremism on both ends of the political spectrum, and representing a very 1984-like reality.

Effective today, I am gainfully employed full-time by Gemini Security Solutions. I'll be coming onboard in a combined security consulting and business development role. This is a very exciting opportunity - one I look forward to knocking out of the park!

About Gemini
From the About page: "Gemini Security Solutions provides impartial information security consulting services that ensure the confidentiality, integrity, and availability of critical business information and resources. Our value is centered on our ability to deliver the right expertise and the right experience, at the right time."

I Am InfoSec, and So Can You

I've been following, with some amusement, the recent small burst of blogging on how to get into infosec. I find it somewhat amusing for a number of reasons, not the least of which is that it reminds me of any number of "lightbulb" jokes (How many general relativists does it take to change a light bulb? Answer: Two. One to hold the bulb while the other rotates the universe.). Why does it amuse me so? Well, for one thing, there's no real defined path into this industry. For another, there are still lots of grey areas with respect to roles and responsibilities. That being said, here are some of my quick hit thoughts.

In August 2009 I wrote about "Defensibility and Recoverability", in which I started developing the notion of using a legal basis for building a defensible position. I later expanded on this notion in the post "Creating Epic Fail Conditions: PCI and Best Practices", along with touching on it in a few other places. More recently, I used the idea of "legal defensibility" through the article "Architecting Adequacy: When Good Enough Really Is" in the March 2010 issue of The ISSA Journal (I'll post an ungated copy of the article when I get a chance). I also floated the idea at the ABA InfoSec Committee meeting during RSA, where I the response was very positive, including getting some air time on a couple panels in the LAW track at RSA.

So, that's a brief background, but what is it, really? What is "legal defensibility" and why do I think it amount to a new doctrine for the infosec community as a whole? More importantly, how can this new notion be used to successfully promote security initiatives, and why should you take it as a legitimate new argument and approach?

"Hang in there! 9 life lessons from rock climbing: Matthew Childs on TED.com"
http://blog.ted.com/2009/04/hang_in_there_9.php

9 Rules:
1. Don't let go
2. Hesitation is bad
3. Have a plan
4. The Move is the End
5. Know how to rest
6. Fear Sucks
7. Opposites are good
8. Strength != Success
9. Know how to let go

Watch the video (link above) for the full info. :)

It's "Security" - Not "Secure IT"

(cross-posted from T2PA)

A common challenge as an infosec professional is the legacy association of the field with information technology (IT). This challenge can be quite detrimental to the enterprise, as an acute focus on technology will inevitably overlook critical issues (and I don't just mean policies!).

This year may provide the perfect opportunity to demonstrate this perspective. As budgets continue to tighten, it should quickly become obvious that "security" is far more than just an IT matter. If your organization takes a serious, deep look at all security responsibilities—arguably including risk management and assessment, policy, compliance, training and awareness, contract support, maybe litigation support, and possibly even audit—then the conclusion must necessarily be to decouple the future of your security program from the future of IT personnel.

The Value of Dissension

| 1 Comment
"The important thing is not to stop questioning. Curiosity has its own reason for existing." Albert Einstein

There seems to be a fallacy in American politics and corporate life these days that conformity and blind acceptance of the prevailing BS perspective is the apex of social evolution. Nothing could (or should) be farther from the truth. The fact of the matter is that conformity and the oppression of dissent is a fundamental threat to the very foundations of this society. It undermines creativity and innovation, causing an erosion not only in social values but also in the ability to solve problems.

"Weakness of attitude becomes weakness of character." Albert Einstein

The prevailing problem, as I see it today, is that the powers that be believe their way is the only way, and that anybody who dares question that way is in fact threatening the basis of their existence. One need only look at the examples of oppression at the RNC in St. Paul earlier this month, or to the classrooms that are oppressed by the No Child Left Behind (NCLB) Act. Taking NCLB as a prime example, we find that students and teachers are now almost solely focused on preparing for a single high-stakes test, to the degree that all "education" is rote memorization, with little or no time spent on extension.

Extension of learned concepts and facts is a vital component to being educated. It's not enough to know that 1+1=2, but to then be able to extend this to knowing that 1+2=3 and beyond. It's also the ability to see that 1+x=2 means that x=1, and then to be able to expand that to other topics, like multiplication, such that when you go shopping you can look at a package of 100, 250, and 500 napkins and calculate out the per-napkin cost to see which package is in fact the better deal (yes, I know, many grocery stores put this on the label now).

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10