(No Ratings Yet)
Loading ...No, really, I like vanilla.
Vanilla.
I’ve just spent the last few minutes trying to think of the right one-word description of my impression of the Gartner Information Security Summit (or at least so far). And that word is “vanilla”. Not “vanilla” in a bad way, but “vanilla” as in delicious and satisfying, yet without any sprinkles on top. I came to this Gartner event expecting chocolate chip cookie dough, but I like vanilla too.
Everything at this conference has been about practical advice - since Gartner’s objective is to provide information and advice to their customers, they’ve been very successful. What I’m missing is a little pizazz: I want someone to go crazy and tell me that cloud computing is all hype, or that HIPAA is garbage, or that encryption is overrated. Even the keynote entitled “The Inheritence: Challenges to the New Administration in CyberSpace” by David Sanger didn’t zing me (and with tantalizing words like “Challenges”, “New Administration”, and “CyberSpace” I was really expecting some zing).
So here’s the deal: if you want practical advice to help you perform your job or to make more convincing business cases for information security, come to the Gartner show; otherwise, if you want some wild ideas or envelope-pushing, look elsewhere. Interestingly enough, there are a lot of C-level types at this show, so next time you get an intimate moment with your CISO (which may be never), ask them what their favourite ice cream flavour is - I bet they will say vanilla.
By the way, the last session of the conference is called “Worst Best Practices and Useless Useful Technologies Unmasked”. The session is described as “just-for-fun”, which sounds entirely un-vanilla to me; I can’t imagine what the analysts could possibly have to say.
—
Dave Morgan, Director of Privacy Research at Camouflage Software Inc.
Guest blogger for ComputerWorld Canada at Gartner Information Security Summit 2009
Regular blogger for Cogitatio Privatim by Camouflage
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(1 votes, average: 8 out of 10) Loading ...Don’t say “no” to bad information security; but don’t say “yes” either
I just attended a session with Jay Heiser and Tom Scholtz at the Gartner Information Security Summit called “Don’t be a Dr. No: A Framework for Positive Information Security Management”. The premise of the title, and session, is that information and secutiy management often develop a reputaton for restricting and discouraging activities for risk considerations that their colleagues just don’t understand. I admit that I have been a “Dr. No” from time to time in the past; I try to use the “no” card sparingly, and only when I really mean it.
One of the important positive actions that the speakers stressed was to use risk/data ownership as a communication tool - the premise being that when people assume ownership they tend to accept less risk. As a humourous anecdote, Tom Scholtz told a story about how a business unit downloaded ownership a particular application to the IT department. The IT department thought there was too much risk associated with the application, so they drafted plans to elimnate it; naturally, when the business unit got wind of this they accepted ownership and worked with IT to make positive changes.
This novel tale is just like saying “no”, but in a much more convoluted/devious way. Of course, Heiser and Scholtz didn’t advocate this as a viable strategy; yet, when the audience heard the story, everyone gave that sort of chuckle that says “that’s so riduculous, but …”
If you are at the end of your rope (and aren’t afraid of getting fired) maybe this is an “ace in the hole” that you might like to try.
—
Dave Morgan, Director of Privacy Research at Camouflage Software Inc.
Guest blogger for ComputerWorld Canada at Gartner Information Security Summit 2009
Regular blogger for Cogitatio Privatim by Camouflage
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...I got schooled by Google
Earlier today at the Gartner Information Security Summit, I sat in on a session offered by Google (you may have heard of them before - my friends tell me they have a popular search engine). The session was a case study of how a local public school group made the transition over to Google Apps for mail and other services. I was only moderately interested at first, but I figured that I’d at least learn Google’s latest plans for world domination.
In the end, the presentation turned out to be really interesting. The guy from Google spoke for a few minutes in order to give the audience a background in just exactly what Google Apps are available, but then promptly turned it over to the people from Prince George’s County Public Schools (PGCPS). What followed was a frank discussion of how a resource-strapped educational group with over 22,000 employees and 130,000 students was able to deliver a better user experience for a lot less money. From an information security perspective, they were careful to resolve data ownership and retrievability issues up front, and are pleased to avail of continuous security upgrades via the “G-cloud”. Granted, not everything went smootly, and they are still using Active Directory and Exchange for a few things that Google hasn’t perfected, but they seem very satisfied.
Not only is PGCPS satisfied, but they also seem proud of what they have accomplished. They make their presentation available online and invite people to contact them for more information. If any of you are thinking of making the move to Google Apps, you really should take a look at the presentation to see how the challenges faced by PGCPS compare to your own. Regardless, you can take comfort in knowing that successful use of Google Apps in a larger organization is not a myth.
—
Dave Morgan, Director of Privacy Research at Camouflage Software Inc.
Guest blogger for ComputerWorld Canada at Gartner Information Security Summit 2009
Regular blogger for Cogitatio Privatim by Camouflage
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Seeking mentors at the Gartner Information Security Summit
The Gartner Information Security Summit 2009 got underway this morning in National Harbor, MD (aka just a bit too far outside of D.C. to say you are in D.C.). This morning’s keynotes had a clear focus on information security roles, career paths, and forecasts for the field. For the most part, the talks had all the usual comments that we’ve heard before: threats are outpacing defense, training and certification is important, advanced positions require an understanding of the business and its objectives, etcetera. Nothing really new.
But there was on little nugget of good advice for all information security professionals - it wasn’t revolutionary, but it was a nice reminder. During the keynote panel “The CISO’s Skill Set”, Joyce Brocaglia, CEO and Founder of the Executive Women’s Forum, Alta Associates, Inc., stressed the importance of corporate mentorship and coaching. All too often, we turn to seminars and certifications to make us better employees and advance our careers even though real education is staring us right in the face.
If we expose ourselves just a little by seeking - and more importantly, asking - for mentorship, then we can gain practical career advice that cuts to the chase and only costs us a few cups of coffee. As Brocaglia suggested, you might not get to meet with your mentor every month, but you probably will every quarter. An as her co-panelists rightly noted, by asking for mentorship you stand to form a relationship which sees you advancing in lock-step with your mentor.
Sounds like a good deal to me.
—
Dave Morgan, Director of Privacy Research at Camouflage Software Inc.
Guest blogger for ComputerWorld Canada at Gartner Information Security Summit 2009
Regular blogger for Cogitatio Privatim by Camouflage
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Staying accountable
This week`s resource selections focus on accountability and corporate governance – two subjects every information security professional should be comfortable talking about with every executive.
Have a great weekend.
1. Creating the Accountable Organization
Creating the Accountable Organization is a practical guide for ending the “Blame Game” and developing a work environment where people keep their agreements. Focused on improving Performance Execution, this book provides you with strategies and tools for achieving measurable results. http://www.impaqcorp.com/products-08.html
2. IMPAQ
IMPAQ believes that accountable organizations create an environment where people can count on each other to achieve business results with higher quality and fewer resources, and sustain greater levels of trust and morale. http://www.impaqcorp.com/AboutUs-08.html
3. Financial Management Capability Model
The environment in which the Canadian federal government operates is rapidly changing. The effects of limited resources, downsizing and delayering are placing greater demands on government services to Canadians; the need for effective financial management is greater than ever. The Financial Management Capability Model presented sets out the Office of the Auditor General’s expectations for financial management and is the basis on which future audits in this area will be conducted. http://www.oag-bvg.gc.ca/internet/English/meth_lp_e_15716.html
4. Renew Commitment to Corporate Governance and Oversight Excellence
NACD believes corporate boards of directors must lead the way in improving board performance and corporate oversight. NACD’s Key Agreed Principles provide the framework necessary for boards to do so. To help boards create new practices that follow the Principles, NACD convened thought-leaders from around the nation to focus on the four areas identified as the most critical by the director community. The resulting White Papers Series I: Risk Oversight, Transparency, Strategy and Executive Compensation, examines the current environment and summarizes NACD’s recommendations on these topics. https://secure.nacdonline.org/source/members/whitepages/white-pages.cfm
5. Corporate Governance and the Credit Crunch
The credit crunch poses a grave threat to the economies of the developed and developing world. The global banking industry, which was by far the most profitable sector in 2006, is in severe difficulty and the threat that this poses to the real economy is profound. This paper sets out ACCA’s thoughts on what has happened and, looking to the future, makes recommendations and considers how accountants can help.
http://www.accaglobal.com/pubs/economy/analysis/acca/technical_papers/tech_2.pdf
6. Riveting talks by remarkable people, free to the world (TED)
TED stands for Technology, Entertainment, Design. It started out (in 1984) as a conference bringing together people from those three worlds. Since then its scope has become ever broader.
http://www.ted.com/index.php
————————————————————————-
Sentinel - IT Governance monthly newsletter
Sentinel provides free monthly updates and resources across the whole spectrum of IT governance subject matter, including Risk Management, Information Security, Compliance and much more. Click here to see the previous editions of the newsletter. To subscribe visit http://www.itgovernance.co.uk/newsletter.aspx
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...From ethics to college basketball
This week`s resource selections covers ethics, project management, psychology, leadership, and even a bit of basketball.
- Dan Swanson
1. Ethisphere’s Expert Corner and the Ethisphere Magazine
Interviews and articles by various leaders and subject matter experts. In an age of deeper government scrutiny of business operations, increased civil and criminal penalties for compliance failure, and heightened consumer awareness and sophistication, organizations that want to lead realize that there is a direct link between ethics and profits. Ethisphere Magazine was created to illuminate this important correlation. Its mission is to help corporate executives guide their enterprises toward gaining market share and creating sustainable competitive advantage through better business practices and corporate citizenship.
http://ethisphere.com/category/expert/
http://members.ethisphere.com/
2. Are You Learning From Project to Project?
If you’re among the 99 percent of us who fail this simple test—but shouldn’t—you could be in a position of weakness, to the detriment of your current and upcoming projects.
http://www.nealwhittengroup.com/articles/pmn3-99.asp
3. Four stages of competence
In psychology, the four stages of competence, or the “conscious competence” learning model relates to the psychological states involved in the process of progressing from incompetence to competence in a skill.
http://en.wikipedia.org/wiki/Unconscious_incompetence
4. What Can Managers Learn From College Basketball?
To gain insights into the labor market, consider how basketball coaches move from one job to another.
5. Eight Dumb Project Management Beliefs
There is much more to learn within the project management profession than meets the eye of the casual practitioner/observer. This list discloses eight commonly held beliefs that are thought to be true, but are all false.
6. Teamwork and Creativity Help to Identify Root Causes
In problem-solving methodologies, identifying potential causes is a crucial step between process mapping and data collection and analysis. It involves the best available process knowledge, as well as creativity. Creativity and team management tools, more often employed for solution finding than for root cause finding, can generate deep understanding of the process mechanics and help the team prepare for the distilling and data-based validation of the “essential few” root causes of a problem.
http://www.realinnovation.com/content/c090511a.asp
————————————————————————-
Sentinel - IT Governance monthly newsletter
Sentinel provides free monthly updates and resources across the whole spectrum of IT governance subject matter, including Risk Management, Information Security, Compliance and much more. Click here to see the previous editions of the newsletter. To subscribe visit http://www.itgovernance.co.uk/newsletter.aspx
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(1 votes, average: 8 out of 10) Loading ...Retooling your IT security plans
This week`s resource selections focus on implementing a solid information security program that includes a comprehensive information security enterprise architecture.
Dan Swanson
————————————————-
1. Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines
This consensus document of 20 crucial controls is designed to begin the process of establishing a prioritized baseline of information security measures and controls. The consensus effort that has produced this document has identified 20 specific technical security controls that are viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future.
2. Avoiding IS Icebergs
This article explores the audit’s assurance role regarding information security and outlines approaches and methodologies. As with all Secure Strategies articles, this feature is targeted to the beginner infosec professional, though more experienced practitioners will also find it useful as an update on what’s available and in use today.
http://journals2.iranscience.net:800/infosecuritymag.techtarget.com/infosecuritymag.techtarget.com/articles/october00/features3.shtml
3. CISO Strategies provides IT thought leaders with practical advice and strategic insight into the management of information systems security. Cutting-edge editorial explores the increasingly important role of IT security in protecting an organization’s intellectual property, privacy, IT infrastructure and public reputation.
4. The SABSA Method
SABSA is a proven framework and methodology for Enterprise Security Architecture and Service Management used successfully by numerous organisations around the world. It is used globally to meet a wide variety of Enterprise needs including Risk Management, Information Assurance, Governance, and Continuity Management.
http://www.sabsa.org/the-sabsa-method.aspx
5. SANS’ Information Security Reading Room
Featuring over 1777 original computer security white papers in 73 different categories.
http://www.sans.org/reading_room/
6. Incident Management
An incident management capability is the ability to provide management of computer security events and incidents. It implies end-to-end management for controlling or directing how security events and incidents should be handled. This involves defining a process to follow with supporting policies and procedures in place, assigning roles and responsibilities, having appropriate equipment, infrastructure, tools, and supporting materials ready, and having qualified staff identified and trained to perform the work in a consistent, high-quality, and repeatable way.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/incident/223-BSI.html
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Move over Conficker, Gumblar is here
2009 might truly be the year of the virus — both in the real world and in the virtual world.
The swine flu/H1N1 virus has caused widespread fears across the world and has pretty much been a fixture of every newscast over the last few weeks. Of course, all of this came on the heels of the heavily hyped Conficker virus, which was supposed to shut down the Internet or something along those lines.
Now, the next big virus might have reared its ugly head in the form of something called Gumblar, which has managed to garner some serious attention in IT security circles.
If you haven’t heard of it by now, the attack apparently spreads through the Web via malicious JavaScript code. A victim can be infected with Gumblar simply by visiting a page featuring this malicious code.
According to security researchers, once a PC is successfully Gumblared (a fake word that I just made up), the malware will redirect the infected users’ Google search engine results to point to malware and phishing sites. The malicious code will also scour its victims’ system for FTP credentials that can be used to infect more Web sites with Gumblar.
So basically this new virus is a tool that will hopefully dupe infected users toward other serious viruses. Pretty crafty thinking, but not something we should be panicking over like we all did with Conficker.
Why not, you ask? I think the results of this Google Fight speak for itself.
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(1 votes, average: 9 out of 10) Loading ...Panda Security debuts cloud-based anti-virus
Panda Security has just launched a beta version of what it claims to be the industry’s first cloud-based anti-virus tool.
Basically the company allows consumers to download a free application, which installs a small client on their desktops. The selling point, of course, is that lightens the load that most desktop-based security programs can have on your system’s resources.
Plus, Panda says the system is constantly updated, so you’re always going to be up-to-date — which will be especially useful when Conficker decides to roll out its next surprise.
As for the performance, early reviews are mixed. Many users are saying that while the scanning function was effective, it simply took too long. Seeing as this is a beta, I’m sure Panda will be able to improvement on this issue.
And quite frankly, whether consumers are ready for it or not, you get the feeling that this is going to be the future of anti-virus software.
Add to: del.icio.us | Digg IT | Furl | Google | magnolia | StumbleIT | Wink | Yahoo! Technorati
(No Ratings Yet) Loading ...Time Management at RSA Conference
Before the RSA Conference started, if you had asked me how my time would be spent during the week, I probably would have said 40% attending sessions, 20% checking out technologies, 20% networking/socializing, 10% at the company booth, 10% blogging, and 10% in meetings… wait that’s 110%… maybe that says something about my time management.
What has surprise me is how much time I actually spent with meetings. It seemed like I was always preparing for a meeting, in a meeting, or following up from a meeting. Meetings, meetings, meetings. Not that I mind meetings, as some of the meetings have been very valuable, I just didn’t think there would be so many.
Because of all the time I spent in meetings, I missed a few session that I really would have liked to see. In particular, Rich Mogull and Chris Hoff gave a talk this morning about the future of security, with a bunch of predictions. Fortunately, RSA Conference records all their sessions, so I can check it out later. In my opinion, this ability to watch recorded sessions after the fact offers some real value to delegates.
I’ll check it out online and let you know what they said. I have to go to another meeting.
—
Dave Morgan, Director of Privacy Research at Camouflage Software Inc.
Guest blogger for ComputerWorld Canada at RSA Conference 2009
Regular blogger for Cogitatio Privatim by Camouflage
