InfoReck

2012 Enterprise Information Security Resolutions

I can’t believe it’s already been a year since I wrote my last Resolutions post. Overall, I believe those resolutions hold up pretty well. I’ve taken a few minutes to think back over 2011 and see how I did at achieving my resolutions… I am reminded that this ride isn’t a simple pass/fail endeavor. With that in mind, here are my 2012 Enterprise Information Security Resolutions.

1. Successful information security is about making progress. It’s not reasonable or sustainable to expect all risks to be remediated as soon as they are discovered. Instead, my … Continue Reading
   

Successful Enterprise Information Security is about Progress

What does a successful information security program look like in an organization? The traditional answer would be something like, “Technology risks are kept to a level the organization is willing to accept.” That sounds pretty simple right? Find the places where risks are greater than we’re comfortable with, then fix it.

That type of thinking works for a point-in-time evaluation, but comes up lacking when we consider the dynamic nature of enterprise information security. Things change. New vulnerabilities are discovered, new types of technologies are implemented, and new business requirements arise. In reality, there is … Continue Reading

Black Hat’s Place in Enterprise Information Security

In general, Enterprise information security is planned and discussed in the hallways of high-rise buildings, conference rooms and closed-door meetings. These conversations usually involve men in button-down shirts and polos trying to find ways to use the limited resources available to mitigate the risks available across a huge threat surface. Phrases like “defense in depth,” “return on investment” and “acceptable risk” are the primary areas for conversation.

On occasion, the information security practitioners from these organizations decide to get together and hold much bigger meetings they call conferences. These conferences have basically the same elements. … Continue Reading

Five Things: RSA Conference 2011

Thanks to InfoSec Island I had the opportunity to attend the 2011 RSA Conference in San Francisco, free of charge. It was a unique experience, well worth my time and energy to attend. This week’s blog is Five Things I learned at RSA Conference 2011.

1.       The information security community is huge and diverse. I’ve seen numbers indicating there were anywhere from 11,000 to 20,000 people at the conference. And those attending make up just a small fraction of the information security practitioners around the world. I met attendees from South America, Africa, Australia, … Continue Reading

On being the “Department of No”

When we discuss metaphors for an information security department, we often talk about things like a traffic cop (giving out tickets for breaking the rules), or a referee (looking for those who play dirty). The problem with those examples is that we’re portraying security as something to be avoided, whose primary contribution is punishing negative behaviors. It’s precisely this type of implementation that has led so many information security departments to be thought of as the “Department of No.”

Being known as the “Department of No” is problematic. Once a reputation is established that information security … Continue Reading

Defense in depth: Security Strategy or Security Blanket

There is an interesting phenomenon in the sports world surrounding fans and trades. It goes something like this…

Giants Fan 1, “Man, that Albert Pujols is really something else. I sure would like to have him on our team.”

Giants Fan 2, “We should offer the Cardinals three of our mediocre players for him.”

Giants Fan 1, “That’ll never work, they won’t give him up for three mediocre players.”

Giants Fan 2, “Okay, we’ll give them 5 of them… heck give them 7 mediocre players!”

Giants Fan 1, “Yeah… this is starting to sound real good.” *

The fallacy … Continue Reading

2011 Information Security Resolutions

Think it’s too late for a New Year’s post? You must not have heard that January 12th is the new January 1st.

I’ve never been one for making New Year’s Resolutions. However, a quick search of the web finds that a lot of folks are. An awful lot of people are looking to lose weight, quit smoking, or get a new job this year. This got me to thinking; what are my InfoSec resolutions for 2011? It sounds like the perfect topic for a Five Things article.

1. Don’t be satisfied with doing things ‘the way we’ve always done them.’ … Continue Reading
   

Five Things: Creating high quality security policies

Security policies are the foundation of an enterprise information security program. Without a solid foundation in place you simply cannot build a sturdy long-lasting structure; be it a building or a security program. Below are five things that can help you ensure your foundation is strong.

1. Use a framework. By starting with a trusted framework you can avoid reinventing the wheel. A framework like ISO2700x will provide you with the areas you need to cover in your policies. Then it’s your job to customize the policies so they fit your environment.
2. Make sure your policies are … Continue Reading
   

There is a balance that exists between security and functionality. The tension between the two is caused by a scarcity of resources. Money, time, and human resources are all limited, and those limits require a business to make tough decisions about what gets top priority and what gets cut.

All too many times it’s the security of a product that suffers. There are plenty of reasons for this:

• The perception that features are what sell a product.
• The thought leaders at a company spend their time dreaming up new features, not new security measures.
• Many developers and system administrators are … Continue Reading
  

In my experience, the biggest impediment to a high quality information security posture at an organization is not money or well informed InfoSec practitioners. The biggest impediment is getting the front-line workers of an organization to believe in the mission of InfoSec. Rather than waiting for an audit finding or a compliance issue to drive us toward security, we want to get workers thinking and acting secure in their day-to-day behaviors.

In trying to get workers to buy into the mission of InfoSec we have several forces we’re fighting against. We’re battling busyness, status quo, … Continue Reading