December 2011 Archives

Well, it's that time of year again... time for a look back at 2011 and a look forward at the year to come. Of course, the first thing that comes to mind (to me, at least) for 2012 is the pending Mayan calendar transition. It makes me wonder what sort of crazies we'll be seeing as the year progresses. I'm guessing right now that there will be at least one suicide cult identified before things have come and gone. So, pardon me while I ramble a bit in reflection on the past and coming years...

Since I've again been remiss in my own writing this week (hey, there's always tomorrow!;), I thought I'd highlight what I think are the best pieces of the week, if not of the year! :)

First up, you have to read Jack Daniel's "The Pandering Pentagram of Prognostication" as he absolutely hits the nail on the head as concerns the annual prognostications we see.

Next up, you have to watch the Chris Eng's sequel on "infosec thought leadership," titled "The Thought Leader... One Year Later" - it's so spot-on, it's almost eerie to watch. ;)

Happy Holidays! :)

I was first introduced to the concept of the "risk equation" back in 1999 while working for one of the Big N audit firms. It was expressed to me in quite simple terms:

Risk = Threat x Vulnerability x Impact

As part of the discussion around "risk" back in those days we also had to talk about what those terms really meant. Broken down, "threat" was really more a matter of "threat frequency" - as in, how likely an attacker would hit your environment. Similarly, "vulnerability" was really more about "probability of compromise" and how likely it was that an attacker would be successful. If you're thinking that this sounds an awful lot like FAIR, then you're right. In retrospect, it's definitely very much inline with that thinking.

This is a follow-up to my last post ("3 Common Ways Security Fails People"). After posting it, someone on twitter quickly asked if I had any ideas for fixing these common problems. Well, of course I have ideas! :)

Soooo... rather than be one of those non-constructive criticizers of all things infosec, here are three solutions to the three problems:

Nothing gets me going in the morning like a good ol' fashioned dust-up over "security" measures interfering with my ability to get stuff done. It just reminds me of how far we still have to go in order to fix all the wrongs of our past lives. Here are three (3) areas in which I think infosec fails people and shoots itself in the foot, undermining credibility for the future.

I've felt recently like I've not had the chance to blog for a while, but it wasn't until I went and looked that I realized that it's been over a month already. Yikes! Sadly, it's not for a lack of blogging topic ideas, but because I've been pouring my energy into other projects more work-related.

Here's a wrap-up of some recent news, along with a promise to get back on the blogging beat very soon!

• LockPath officially announced my joining the company as Principal Consultant. I subsequently received a listing in the Kansas City Business Journal in the "People on the Move" column (funny since I'm a remote employee).


• My CRN byline "How to Manage Cloud Risk" was referenced in an article on FierceComplianceIT ("Five key elements in a GRC cloud program").


• LockPath was included in CRN's "10 Hot Emerging Vendors For November 2011"


• I was quoted in DarkReading's "2012 Compliance Checklist" this week.


• And... last, but certainly not least... burying the lead a bit... I am extremely honored to be included in Tripwire's "Top 25 Influencers in Security You Should Be Following" list (btw, it's sorted alphabetically, so don't get too excited about the order;).

Toss in a bit of travel, a holiday, and a heap of sickness and that pretty much rounds out the last month for me. More writing to come soon!

I will be returning to RSA US as a speaker again in 2012. If you're interested in attending and don't have a discount code from anywhere else, then please feel free to use this one for $200 by Jan. 27th: ZSPsyjAphIF

I'm booked into two slots:

LAW-301 - "Hot Topics in Information Security Law 2012" (Panel) - Thursday, Mar 01, 8:00 AM
Abstract: The legal risk and regulatory environment for information security is in a state of constant flux. New regulations, lawsuits and compliance obligations arise on a regular basis. This panel, put on by the American Bar Association's Information Security Committee provides up-to-the-minute reporting on key infosec legal developments, and provides insight into where the law is going in the future.

STAR-304 - "Legal & Ethical Considerations of Offensive Cyber-Operations?" - Thursday, Mar 01, 1:00 PM
Abstract: Certainly nations have the right and in some cases obligation to use cyberspace tools in an offensive manner to defend themselves. What about businesses, do they also have this right? This session will explore the legal and ethical issues surrounding the use of offensive cyberspace by both nations and corporations.

Register here: http://www.rsaconference.com/events/2012/usa/registration.htm