InfoReck

Making security matter to the business

What are the strategic goals for your organization in 2012? Can you recite them off the top of your head? If you can’t, you’re not alone. The inability of enterprise security teams to answer those questions is one of the biggest obstacles facing our discipline today, and it’s the biggest reason current security metrics do not grab the attention of organization leaders.

Know Why You’re There: Business Productivity

The traditional role of security in the organization has been that of a cost-center to be minimized. Besides preventing breaches, security’s success has historically … Continue Reading

Overcoming Security’s Fundamental Truth & Problem

You’ve heard it before, right? “Security is inversely correlated to convenience.” This is not news. It is convenient to be able to sit right down at a computer and have access to all the data. It’s not convenient to lock our car doors, shred our credit card bills, or drive at the speed limit. Yet most of us do these things (at least sometimes) because we want to keep our stereo, protect our identity and avoid dying in a traffic accident.

It’s this very nature that makes security so difficult for business people and IT folks … Continue Reading

Mature IT Processes are Essential to Effective Enterprise Security

Enterprise information security is a function, not a role. While we hire technical folks and call them our “security team,” the expectations around implementing security are distributed throughout the business, especially the IT staff. The security department is responsible for creating the policies and standards that govern the organization, but we depend on network administrators, system admins, developers, DBAs, projects managers, desktop support and others to ensure that those standards are implemented.

As an example, imagine…

Funding finally gets approved for those critical network security enhancements you’ve needed for years. You purchase and implement … Continue Reading

RSA Conference 2012

RSA Conference is the big event of the year for enterprise security. All the biggest names of the security world come out to sell their books, lead a session or keynote, and sit on a panel (or 5). Everyone who sells a security product or service sets up a booth in the expo hall, or at least walks around meeting with clients and other vendors.

Long-time RSA attendees gripe about how folks leading the sessions are not presenting anything innovative or new. Dozens of vendors throw parties and receptions filled with free booze and food to connect with current … Continue Reading

Highlights from Day 1 of RSA:

I attended the professional development track, and pulled most of these quotes from there. Follow me on twitter to see what strikes my fancy in real-time.

• Remember that being a security leader is first and foremost about leading. Too often we get bogged down in management. Managers deal with complexity, scheduling and resource allocation. Leaders deal with setting a direction and figuring out how to get there. The quote which was used in this session, which I love, was “managers follow a map, leaders follow a compass.”
• The biggest key to the success of … Continue Reading
  

Security impact of putting it in the cloud

It seems you can’t make it through any IT related article or meeting these days without a discussion of “the cloud.” Every CEO wants to know how the cloud can improve innovation and productivity, and every CFO wants to know when we’re going to move to the cloud to dramatically cut the costs of doing business. Most CISOs are just scared to think about all that data sitting outside our firewalls.

In the security arena our job is to help identify and quantify the risks associated with such a move. The risks of an … Continue Reading

Why do we pen test?

A penetration test is a method of evaluating the security of computer systems or networks using manual or automated tools. Basically, we set some experienced folks out with the instruction to figure out a way to break the security of our own systems. This will usually come with some rules of engagement (no testing during business hours, don’t corrupt any of our production data, etc).

I’ve been a part of numerous penetration tests. It seems that every organization has them these days. For the purposes of this article, I am limiting us to internal penetration testing, not … Continue Reading

2012 Enterprise Information Security Resolutions

I can’t believe it’s already been a year since I wrote my last Resolutions post. Overall, I believe those resolutions hold up pretty well. I’ve taken a few minutes to think back over 2011 and see how I did at achieving my resolutions… I am reminded that this ride isn’t a simple pass/fail endeavor. With that in mind, here are my 2012 Enterprise Information Security Resolutions.

1. Successful information security is about making progress. It’s not reasonable or sustainable to expect all risks to be remediated as soon as they are discovered. Instead, my … Continue Reading
   

Successful Enterprise Information Security is about Progress

What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.” That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.

That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise. In reality, there is … Continue Reading

Information Security as the Doctor of the Enterprise

“You don’t have to floss all your teeth, just the ones you want to keep.”

I remember, as a child, going to the dentist and seeing that slogan on a poster on the wall. Between that and the serious questions about my brushing and flossing habits during the appointment, it would have been impossible to walk out of the dentist’s office without a full understanding of the importance of consistent oral hygiene. I would leave the dentist’s office (greatly relieved to be free) but without any commitment to adding flossing to my plans. I … Continue Reading