May 2010 Archives

I am getting really tired of listening to whining without posited solutions. Not only has the security subset of the blogosphere dried up over the last few months, but the whining seems to be increasing. Compliance has been the whipping boy du jour for most of the year, but risk assessment also appears to be back up for a beating this month. I think the worst part of it all is that the criticisms I've read typically lack the proper background research, or they end up being about other issues rather than being an attack on risk assessment itself.

There are several points that I want to discuss around these topics. First, from a regulatory perspective, we're still closer to living in the land of common law than we are to modern governed society. There are limits to how effective that can be. Second, we need to make sure that we focus our energies on valuating the right things. There's a lot of churn about how certain words or concepts aren't estimable or have no intrinsic value, but it's a red herring argument. Lastly, and perhaps more importantly, we need to realize that the reason we are where we are today in infosec is because of a disconnect because actions and consequences. We now know that this must change.

The latest compliance deadline for the FACTA Red Flag rules is quickly approaching, and you should be afraid (very afraid). Well, okay, maybe not afraid afraid, but you should be concerned. Sure, about compliance, but also about a larger slippery-slope issue that is escalating. See, the government wants us to believe that every business that invoices for services rendered are extending credit, and are thus subject to the new rules. This argument is dangerous and represents a serious, unwarranted overreach of authority.

There's been some chatter lately about the blog posts tailing off across the industry, possibly due to an increase in Twitter use. The decreased blogging rate is definitely evident as my daily RSS reading has dropped from about a hundred posts to 2-3 dozen. Some have questioned this effect in terms akin to pondering the collapse of learned society (which, honestly, is already upon us;). Suffice to say, I've been meaning to blog for a while, but have simply not had the time, energy, or impetus to so. That's about to change, though.

There's been a great thread (a couple actually) going this week on the security metrics list that highlights a really key concept that many people do not understand (including US President #43): the difference between education, training, and awareness. Many people and organizations seem to think that education, training, and awareness are synonymous, though nothing could be further from the truth.

Effective today, I am gainfully employed full-time by Gemini Security Solutions. I'll be coming onboard in a combined security consulting and business development role. This is a very exciting opportunity - one I look forward to knocking out of the park!

About Gemini
From the About page: "Gemini Security Solutions provides impartial information security consulting services that ensure the confidentiality, integrity, and availability of critical business information and resources. Our value is centered on our ability to deliver the right expertise and the right experience, at the right time."

I was reading this CSM summary of this year's Warren Buffett shareholder meeting and loved the closing comment about working hard to avoid stupidity. This sounds like an excellent goal for infosec, too. In fact, I'd go so far as to say that, if ever we should have a goal, it should be this.

Specifically, this goal of "working hard to avoid stupidity" seems to tab very nicely with the legal defensibility doctrine in that one of the stupid things we see time and again throughout the enterprise is decision-making that does everything but avoid stupidity, putting our respective organizations into a world of hurt.