March 2012 Archives

Here's my question of the day: Is it possible to prevent detailed technical security standards from devolving into a compliance regime (or does it even matter)?

In thinking about this question a bit today (while reading-up on NIST RMF), I started thinking about how this notion fits into risk management approaches. Specifically, in looking at RMF, it appears that rather than achieving a true risk management program, NIST has essentially created a very heavy, bureaucratic compliance regime. Now, I don't think this was even remotely their intent, but rather wonder if it's really just an inevitable outcome from how we as an industry have historically approached information/IT/infosec risk management.

Hey all you risky people - good news! Registration is now open for SIRAcon 2012 - the inaugural conference from the Society of Information Risk Analysts (SIRA). The event will be May 7th, 2012, in St. Paul, MN, ahead of the annual Secure360 conference.

For full details, please check out the event page at www.societyinforisk.org/siracon.

Tickets are now on-sale at siracon.eventbrite.com. The cost is $119, though there is a $20 discount for SIRA members (it's currently free to join, so ping us if you need the code!). Lunch, snacks and refreshments will be provided by the facility and are included in the price of admission.

There is also a special student "cover the cost of food" discount available (please email me for details). Speakers and volunteers are free - if they want to be - OR they can pay the "cover the cost of food" discounted price in order to help SIRAcon achieve it's objective of breaking even. :)

Here are a some of the titles from the confirmed talks:
   * Rolling with Resistance: Because Risk Management Isn't Just About Being Right
   * Organizing Risk Management Programs, or, What I Learned from the Secret Service and the Aviation Industry
   * The Base Rate Fallacy: How Fourfold Tables can help in Information Security
   * OpenPERT: Modeling Expert Opinion
   * Risk Management Practitioners Panel

We hope to see you in St. Paul this May! :)

Here we reach the end of my brain dump on last week's RSA 2012 (see my two previous posts here and here). These are mostly odds & ends - nothing overly well formulated. So, please, forgive the randomness.

This is piece 2 of 3 on RSA 2012 (also see my first piece "Themes & Misconceptions"). In this post I'll discuss the invite-only Risk Management Summit that was organized by Evan Wheeler within the P2P track. The RM Summit had four 1-hour slots that used a format of 5-10 minutes presentation (no slides!) followed by 40-50 minutes of discussion. Overall, I thought this was an excellent program and format, and I very much look forward to being able to participate in it again.

My participation was both as an attendee and as a speaker. For my speaking topic, I presented my notion of "scaling risk management," posing the question for discussion of "If you're an SMB, what is a reasonable expectation for performance of risk management? What should SMBs be minimally required to do?" This discussion took an interesting turn early on, revealing that there are really two questions contained within the topic: 1) "How do you scale-down 'big finance' risk management practices to the SMB space?" and 2) "How should a small business bridge the gap until it's big enough to adopt formal risk management practices?"

Here it is, the aftermath of the biggest security conference of the year, and my mind is still reeling. There have already been several RSA-related posts from various other bloggers, but this is really my first substantive effort (of a planned 3 total). In this piece, I plan to address at a high level several themes and misconceptions that seemed to be circulating or self-perpetuating last week.