Tags ArchivesBusiness of security

Sir, Put Down the Loaded Weapon standard

Sensitive information is sometimes like a loaded weapon someone might randomly stumble upon in a park. For those that have some kind of training with weapons, you can probably think of a dozen things you would and wouldn’t do if you were in this situation. But what if you had never seen this kind of weapon before? Would it become a paperweight on your desk? Maybe a doorstop? Or in an extreme case, earrings? Maybe you see peers treating these weapons the same way and all the sudden it becomes acceptable. Until one goes off. Then everyone flips their lid and its utter chaos. Questions like, “How did this happen?” and “Why isn’t the government protecting us?” start to pop ...

Continue Reading

What’s your Maturity? standard

No, I’m not asking how old you are or if you still laugh at fart jokes, but how mature is your security program? Traditional security isn’t working anymore, and its relevancy erodes as the business moves ahead without it. If you’ve heard me speak about information security maturity lately, you may have heard me compare our industry and function to Maslow’s Heirarchy of Needs. For those of you that may need a refresher, here are the basics (minus a few to stop some search engine hits). In order for a human to realize his full potential, he must have specific needs met. Those are: Physiological: food, water, sleep, movement toward stability Safety: security of body, employment, resources, morality, family, health, ...

Continue Reading

Apparently You DO Need Assurance standard

I was going through some tweets last week and came across a tweet by @rybolov touting the most interesting blog post he will read all month about code scanning and regulatory capture. It’s from Mary Ann Davidson, the CSO of Oracle and entitled, “Those Who Can’t Do, Audit.” While I’m not an auditor (and never have been), I’ve performed many-an-assessment in my career so I thought I’d take a look at the re-purposed cliché titled post. The first thing you will notice is that the post really isn’t about auditors, it’s about static code analysis. If I can distill the meat of the post down (and cull the 2/3s that compose fat/rant), her point is that certain groups have created ...

Continue Reading

Complacent or Lucky (both kinds)? standard

Twitter cracks me up some times. I was tagged in a tweet that pointed out I was among more than one individual representing a breached company on the PCI Advisory Board. My response? Look out that window. I submit to you that the companies with the best security programs might be those that have suffered a breach in the last twelve to twenty-four months. The program was weak enough to allow the breach to occur at the time, but the severity and specifics of the breach highlights corrective actions for management to address. From the breaches I have been involved in, management tends to knee-jerk pretty hard and improve their game. Even without a breach, only a tiny percentage of ...

Continue Reading

Wait, we did something right? standard

Where have I been? Certainly not here! I’ve been on a little bit of travel to Asia and Australia and spending time with security professionals both inside and outside my company. I also tried the Tim Tam Slam for the first time, and videoed it. Enjoy. In my travels over the last two weeks, I am learning that the security market here tends to be more focused on shiny tools than security process. Someone even made a statement about the maturity of the US around information security and how much more mature it is than what they are dealing with. I was a little shocked, actually. It’s pretty rare that you hear that kind of praise outside of the US. ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!