Recently in leadership-management Category

Forget C-I-A, Availability Is King

In the traditional parlance of infosec, we've been taught repeatedly that the C-I-A triad (confidentiality, integrity, availability) must be balanced in accordance with the needs of the business. This concept is foundational to all of infosec, ensconced in standards and certification exams and policies. Yet, today, it's essentially wrong, and moreover isn't a helpful starting point for a security discussion.

Unless you were off-planet last week, you've probably heard about President Obama's latest Executive Order, directing various agencies to step up their game on "critical infrastructure" cyber security. As part of this directive, NIST will be building a new framework oriented toward critical infrastructure that will help document processes, standards, best practices, etc, etc, etc. Gah!

The 1980s called and they want their lousy idea back. The 1990s also called, but they just repeated the prior point. The 2000s called and said "What is this, the '80s?!"

If frameworks were going to get the job done, then the job would be done. If securing data and operations was really such a simple task, then we would not be having this conversation, nor would we be reading reports, like Mandiant's big "APT1" blow-out from yesterday (you know, the big shocker that revealed that China is, in fact, hacking everyone... ok, not a shocker... or even really news... since we pretty much already know all that, right?).

If you've not had the opportunity to read the recent Dan Geer / Jerry Archer IEEE S&P Cleartext column titled "Stand Your Ground," then please go read it now. It's only a single page, two-column article and it won't take you long. It is, hands-down, one of the best summaries of contemporary, leading-edge thinking on the state of infosec that I've seen.

Finished? Cool... let's continue...

The future of security is that it shouldn't have a future; at least, not as its own dedicated profession. Rather, security is merely an attribute of operations or code, which is then reflected through appropriate risk management and governance oversight observations and functions. That we still have dedicated "security" functions belies the simple truth that creating separation ends up causing as many problems as it solves (if not more).

This is not a new line of thinking for me. Nearly 3 years ago I asked whether or not a security department was needed. At the time, I was working as a technical director of security for a SMB tech firm, and as the first dedicated security resource, I had concluded that building a team wasn't going to be fruitful. Rather, it made sense to jump right past the "dedicated security team" phase and go right to the desired end-state.

InfoSec vs. Fast Food Nation

Many problems in infosec trace back to human activities, and are consequently reflective of larger societal issues, which have been often represented by the "fast food nation" and "age of ignorance" notions. Sadly, these characterizations are true, as we see now played out with the BYOD movement, so-called "consumerization" of IT, and difficulties keeping control of data.

What got the wheels turning for me was an article I read back in March on The New York Review of Books blog titled "Age of Ignorance". In the article, they pointedly lament what seems to be a rush toward idiocracy and away from a more golden time where intelligence, academia, and open-ended R&D were considered positives. In fact, tying this back into the security meme of my blog, they marvel at even the most fundamental failing of our current society to even know our own basic histories, pinned largely on extremism on both ends of the political spectrum, and representing a very 1984-like reality.

Effective today, I am gainfully employed full-time by Gemini Security Solutions. I'll be coming onboard in a combined security consulting and business development role. This is a very exciting opportunity - one I look forward to knocking out of the park!

About Gemini
From the About page: "Gemini Security Solutions provides impartial information security consulting services that ensure the confidentiality, integrity, and availability of critical business information and resources. Our value is centered on our ability to deliver the right expertise and the right experience, at the right time."

I Am InfoSec, and So Can You

I've been following, with some amusement, the recent small burst of blogging on how to get into infosec. I find it somewhat amusing for a number of reasons, not the least of which is that it reminds me of any number of "lightbulb" jokes (How many general relativists does it take to change a light bulb? Answer: Two. One to hold the bulb while the other rotates the universe.). Why does it amuse me so? Well, for one thing, there's no real defined path into this industry. For another, there are still lots of grey areas with respect to roles and responsibilities. That being said, here are some of my quick hit thoughts.

In August 2009 I wrote about "Defensibility and Recoverability", in which I started developing the notion of using a legal basis for building a defensible position. I later expanded on this notion in the post "Creating Epic Fail Conditions: PCI and Best Practices", along with touching on it in a few other places. More recently, I used the idea of "legal defensibility" through the article "Architecting Adequacy: When Good Enough Really Is" in the March 2010 issue of The ISSA Journal (I'll post an ungated copy of the article when I get a chance). I also floated the idea at the ABA InfoSec Committee meeting during RSA, where I the response was very positive, including getting some air time on a couple panels in the LAW track at RSA.

So, that's a brief background, but what is it, really? What is "legal defensibility" and why do I think it amount to a new doctrine for the infosec community as a whole? More importantly, how can this new notion be used to successfully promote security initiatives, and why should you take it as a legitimate new argument and approach?

"Hang in there! 9 life lessons from rock climbing: Matthew Childs on"

9 Rules:
1. Don't let go
2. Hesitation is bad
3. Have a plan
4. The Move is the End
5. Know how to rest
6. Fear Sucks
7. Opposites are good
8. Strength != Success
9. Know how to let go

Watch the video (link above) for the full info. :)

It's "Security" - Not "Secure IT"

(cross-posted from T2PA)

A common challenge as an infosec professional is the legacy association of the field with information technology (IT). This challenge can be quite detrimental to the enterprise, as an acute focus on technology will inevitably overlook critical issues (and I don't just mean policies!).

This year may provide the perfect opportunity to demonstrate this perspective. As budgets continue to tighten, it should quickly become obvious that "security" is far more than just an IT matter. If your organization takes a serious, deep look at all security responsibilities—arguably including risk management and assessment, policy, compliance, training and awareness, contract support, maybe litigation support, and possibly even audit—then the conclusion must necessarily be to decouple the future of your security program from the future of IT personnel.


About this Archive

This page is an archive of recent entries in the leadership-management category.

infosec is the previous category.

miscellaneous is the next category.

Find recent content on the main index or look in the archives to find all content.

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 6.3.7