Recently in leadership-management Category

Effective today, I am gainfully employed full-time by Gemini Security Solutions. I'll be coming onboard in a combined security consulting and business development role. This is a very exciting opportunity - one I look forward to knocking out of the park!

About Gemini
From the About page: "Gemini Security Solutions provides impartial information security consulting services that ensure the confidentiality, integrity, and availability of critical business information and resources. Our value is centered on our ability to deliver the right expertise and the right experience, at the right time."

I've been following, with some amusement, the recent small burst of blogging on how to get into infosec. I find it somewhat amusing for a number of reasons, not the least of which is that it reminds me of any number of "lightbulb" jokes (How many general relativists does it take to change a light bulb? Answer: Two. One to hold the bulb while the other rotates the universe.). Why does it amuse me so? Well, for one thing, there's no real defined path into this industry. For another, there are still lots of grey areas with respect to roles and responsibilities. That being said, here are some of my quick hit thoughts.

In August 2009 I wrote about "Defensibility and Recoverability", in which I started developing the notion of using a legal basis for building a defensible position. I later expanded on this notion in the post "Creating Epic Fail Conditions: PCI and Best Practices", along with touching on it in a few other places. More recently, I used the idea of "legal defensibility" through the article "Architecting Adequacy: When Good Enough Really Is" in the March 2010 issue of The ISSA Journal (I'll post an ungated copy of the article when I get a chance). I also floated the idea at the ABA InfoSec Committee meeting during RSA, where I the response was very positive, including getting some air time on a couple panels in the LAW track at RSA.

So, that's a brief background, but what is it, really? What is "legal defensibility" and why do I think it amount to a new doctrine for the infosec community as a whole? More importantly, how can this new notion be used to successfully promote security initiatives, and why should you take it as a legitimate new argument and approach?

"Hang in there! 9 life lessons from rock climbing: Matthew Childs on TED.com"
http://blog.ted.com/2009/04/hang_in_there_9.php

9 Rules:
1. Don't let go
2. Hesitation is bad
3. Have a plan
4. The Move is the End
5. Know how to rest
6. Fear Sucks
7. Opposites are good
8. Strength != Success
9. Know how to let go

Watch the video (link above) for the full info. :)

(cross-posted from T2PA)

A common challenge as an infosec professional is the legacy association of the field with information technology (IT). This challenge can be quite detrimental to the enterprise, as an acute focus on technology will inevitably overlook critical issues (and I don't just mean policies!).

This year may provide the perfect opportunity to demonstrate this perspective. As budgets continue to tighten, it should quickly become obvious that "security" is far more than just an IT matter. If your organization takes a serious, deep look at all security responsibilities—arguably including risk management and assessment, policy, compliance, training and awareness, contract support, maybe litigation support, and possibly even audit—then the conclusion must necessarily be to decouple the future of your security program from the future of IT personnel.

"The important thing is not to stop questioning. Curiosity has its own reason for existing." Albert Einstein

There seems to be a fallacy in American politics and corporate life these days that conformity and blind acceptance of the prevailing BS perspective is the apex of social evolution. Nothing could (or should) be farther from the truth. The fact of the matter is that conformity and the oppression of dissent is a fundamental threat to the very foundations of this society. It undermines creativity and innovation, causing an erosion not only in social values but also in the ability to solve problems.

"Weakness of attitude becomes weakness of character." Albert Einstein

The prevailing problem, as I see it today, is that the powers that be believe their way is the only way, and that anybody who dares question that way is in fact threatening the basis of their existence. One need only look at the examples of oppression at the RNC in St. Paul earlier this month, or to the classrooms that are oppressed by the No Child Left Behind (NCLB) Act. Taking NCLB as a prime example, we find that students and teachers are now almost solely focused on preparing for a single high-stakes test, to the degree that all "education" is rote memorization, with little or no time spent on extension.

Extension of learned concepts and facts is a vital component to being educated. It's not enough to know that 1+1=2, but to then be able to extend this to knowing that 1+2=3 and beyond. It's also the ability to see that 1+x=2 means that x=1, and then to be able to expand that to other topics, like multiplication, such that when you go shopping you can look at a package of 100, 250, and 500 napkins and calculate out the per-napkin cost to see which package is in fact the better deal (yes, I know, many grocery stores put this on the label now).

There's a decent, short BusinessWeek article posted up on AOL.com titled "A Boomer's Guide to Communicating with Gen X and Gen Y" that is actually pretty decent. I'd love to see this presented to a couple of my old bosses so that they might try to understand why most of us didn't enjoy working for them! :)

If I were to add anything, it would be under the "Compensation" section: Time off is compensation, and should always be negotiable. Give me 5 weeks off per year plus sick leave and I'll settle for a lower salary no problem. However, put stupid limits on what is and is not negotiable and, well, you already have me thinking your org is outmoded and outdated, needing a major HR overhaul (of course, what org doesn't need a major HR overhaul these days?). fwiw.

Ever since I took Systems Engineering I in my masters program at GW, I've viewed information security and risk management a little differently. In fact, as I've matured over the years, I've come to view the field(s) through multiple lenses, and continue to seek out new perspectives. From Systems Engineering, I learned to view risk as a systematic problem that required fault tolerance and that needed to balance the cost of solutions against the effective reduction of loss potential. This approach is also very compatible with the "risk resiliency" approach that my current employer is favoring in their marketing pitch, and something that I've naturally latched onto as being similar to my style of communication around risk management.

To that end, I had an opportunity to meet with Dr. Vernon Grose of the Omega Systems Group this week. His organization has been providing systematic risk management services for a few decades. In particular, his methodology has a couple key components that I found to be particularly interesting. First, Omega advocates a top-down workshop approach to initiating risk assessment as a lead-in to making risk management decisions. This workshop has some similarities to the NSA IAM/IEM approach, but differs by focusing on the executive/strategic level, making use of scenarios for planning. Second, Dr. Grose brings to bear a systems engineering approach to risk management wherein all scenarios are evaluated against a minimum of 3 countermeasures, looking uniquely at the costs of reducing or eliminating the losses associated with a given risk scenario based on a refined ranking approach.

You can lead a horse to water, but you can't make it drink.

Someone recently asked on a mailing list what people thought of the impact of PCI DSS on software security (the current v1.1 of the standard has requirements to follow OWASP practices in secure coding). In thinking about the effectiveness of PCI, I concluded that it, like SOX, has reached a point of equilibrium as ineffectual. Businesses still seem to universally fail to grasp the value of most security practices, and thus resist the up-front costs required to undertake a truly transformational program.

In 2006 I completed the Masters program in Information Security Management at the George Washington University. As part of that process, I completed a Masters thesis, in which I performed a high level review of "models, frameworks, and methodologies" under the umbrella of "assurance" (aka "information security, "infosec assurance," "computer security," etc). The goal of this initial literature review was to find a single model that could be used across an entire assurance program, incorporating what I posited as the core competency areas of Enterprise Risk Management, Operational Security Management, and Audit Management. The result of this first phase was a determination that no such model existed. Being stymied and frustrated by this lack of enterprise-level models for instituting assurance management, I embarked on creating my own. The resultant Total Enterprise Assurance Management (TEAM) model accomplished this goal, and then some (I'll come back to this in a bit). It's worth noting, incidentally, that the literature review is now about 2.5 years old, yet I firmly believe that the conclusions are just as valid today.

I bring this all up now because security philosophy has been bugging me over the past couple weeks. In returning to security consulting, I am again reminded that not everyone understands security beyond their niche, which can be very problematic when trying to work in a cross-organizational manner.