The Falcon's View

I recently (and, by recently, I mean 8 days ago) had the opportunity to attend the course Facilitative Leadership by Interaction Associates. I found the course quite interesting, and in retrospect learned more from it than I gave credit for initially. A lot of the focus in the course seemed to be on running meetings where work needed to be progressed or completed. However, thinking about it now, it really spoke to larger leadership issues that I think are very important.

Perhaps the best lesson I learned was the hierarchical relationship between Values, Mission, and Vision. Oftentimes companies get hung up on mission and mission statements, while others will go on and on espousing their values. This is, however, the first time I've really heard anyone talk about putting a vision out front around which to organize a project. As I'm beginning to do light work into cognitive psychology, this point resonated with me because it speaks to establishing a visual (mental) image toward which people can work.

I was able to attend a great seminar at work today. Guy Kawasaki of Apple Mac and Garage.com fame delivered an excellent presentation titled "The Art of Innovation." Below are my notes on the presentation.

In 2006 I completed the Masters program in Information Security Management at the George Washington University. As part of that process, I completed a Masters thesis, in which I performed a high level review of "models, frameworks, and methodologies" under the umbrella of "assurance" (aka "information security, "infosec assurance," "computer security," etc). The goal of this initial literature review was to find a single model that could be used across an entire assurance program, incorporating what I posited as the core competency areas of Enterprise Risk Management, Operational Security Management, and Audit Management. The result of this first phase was a determination that no such model existed. Being stymied and frustrated by this lack of enterprise-level models for instituting assurance management, I embarked on creating my own. The resultant Total Enterprise Assurance Management (TEAM) model accomplished this goal, and then some (I'll come back to this in a bit). It's worth noting, incidentally, that the literature review is now about 2.5 years old, yet I firmly believe that the conclusions are just as valid today.

I bring this all up now because security philosophy has been bugging me over the past couple weeks. In returning to security consulting, I am again reminded that not everyone understands security beyond their niche, which can be very problematic when trying to work in a cross-organizational manner.

You can lead a horse to water, but you can't make it drink.

Someone recently asked on a mailing list what people thought of the impact of PCI DSS on software security (the current v1.1 of the standard has requirements to follow OWASP practices in secure coding). In thinking about the effectiveness of PCI, I concluded that it, like SOX, has reached a point of equilibrium as ineffectual. Businesses still seem to universally fail to grasp the value of most security practices, and thus resist the up-front costs required to undertake a truly transformational program.