Corporate Survival Tips for Young Professionals: Organization standard

This is not the messy desk, messy life lecture. There are thousands of books available to help with personal organization, and unfortunately only one or two will probably work for you. Don’t be discouraged. Instead, think about it this way: you need a system that will help you keep all the balls you manage in the air while coworkers and live throw more at you. However you choose to do it, find a system and make it work. I use Personal Kanban (enabled by LeanKit) in conjunction with Evernote and EndNote (free alternatives include Zotero and EasyBib) as resources to keep my life straight. Admittedly, I’m human and I still drop a ball here and there. Honesty, humility, and resolve ...

Continue Reading

Corporate Survival Tips for Young Professionals (A July 2014 Series) standard

Let’s see… You just graduated with your BBA or BS in some business concentration, and now your are ready to go pro. Hopefully you are already hired at your first company and are in the thick of learning about the business and how to succeed. Or perhaps, instead, you are an IT or IS professional that is looking to move your career forward. How do you acquire the skills needed to advance? I hate to break it to you, but your degree did not fully arm you with everything you need to face your new reality. Think of it like this. In high school (or pre-college), you learn that you have to have some level of popularity to survive and ...

Continue Reading

The One Where America Goes Into Drydock standard

For those of us in the States, not much is going to get done today as most of us look forward to a four day weekend. In that light, no big post here. I’ve got a few post ideas I’m working on for the month of July—one being a series on surviving corporate America. There is a set of skills I learned over the years that are never taught in business school, your company’s orientation, or on your company’s intranet (probably). I’m going to put together a list of survivability tools to help develop those non-IT/IS skills! In the meantime, enjoy a safe weekend wherever you are, and Happy 4th! Possibly Related Posts: pgMail 1.5 Released! Let’s Encrypt for non-webservers ...

Continue Reading

June 2014 Roundup standard

So it’s been a full month of hardcore blogging (you know, cause two posts per week is pretty hardcore). Once again, you are all very interested in customer service, how you define cardholder data, and the fun economics of the Starbucks gift card. Maybe all this World Cup fever has you curious? On a side note, I’d like to wish my employer a Happy 25th Birthday! As a corporate entity, it can now finally rent cars ALL BY ITSELF! Here’s what you guys liked the most last month. The Only Customer Service Script You Will Ever Need. The economy is humming along quite nicely. How do we know? Because people are getting poor customer service and reading posts like this ...

Continue Reading

The Art of Inquiry standard

The information security industry can sometimes fall into a rut when it creates and publishes requirements. Even in the corporate world we fall into these ruts. Go check out one of your build or hardening guides and see how much or how recently it has changed. In some respects, we don’t want to have drastic changes even when the world around us changes drastically because it makes it harder to meet those requirements. It’s that old “Your Security Rules are a Moving Target” chestnut. An old mentor of mine once told me that “compliance comes and goes, but security is here to stay”. In some respects, I think compliance is the manifestation of a purpose-built set of security rules driven ...

Continue Reading

Last Day to Vote for ISSA International Board! standard

Just a quick reminder, today is the last day to vote. I am running for an International Director seat, and I want your vote! If you are a member in good standing, the ISSA emailed you a ballot early in June. Go check your SPAM folder if you missed it. Thank you for your support! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

Don’t Listen to this ConsumerReports Advice standard

Lifehacker recently posted something from ConsumerReports where an author suggested asking a hotel manager for their [PCI DSS] Attestation of Compliance. Asking someone for an AoC is en exercise in futility. There is one piece of advice that is good (use credit not debit), but the constructs of asking for an AoC is really not good advice. There are a number of reasons for this. Many hotels with your favorite brands are actually smaller properties owned and operated by individual owners. Even if they have an AoC, it’s probably done from the perspective of a Self Assessment Questionnaire which does not require a third party to review. I promise you that the vast majority of front desk clerks and managers ...

Continue Reading

Try the Middle of the Current (Just for Fun) standard

I was having a fantastic discussion with a close friend yesterday about how the security industry harbors people that fight battles just for the sake of fighting battles. It’s the stuff that makes Sun Tzu shake his head knowing that you are on the losing side. My friend said, “Hey, didn’t you write about something like that a while back?” Once again, Past Brando hosed Future Brando. One of Sun Tzu’s biggest teachings is that the preferred method to win a battle is to win without fighting. If I were to take some literary liberty with this edict and apply it to the security space, it’s better to win within the established rules of the game instead of spending all ...

Continue Reading

The Funny Thing about Scoping standard

Scoping is not a new topic for PCI DSS, and it could arguably be one of the most debated topics that we face. Several years ago the Council formed a Special Interest Group (SIG) to try and address this, but the results were mixed. You can find something called the Open PCI Scoping Toolkit that can provide some additional guidance, but the danger here is that it is not sanctioned by the Council, therefore it is not official documentation to be used to determine the scope of an assessment. In the next version of our PCI Compliance book, due out later this year, we spent some more time on scoping. The results are still virtually the same, however. Removing things ...

Continue Reading

More Hacks! standard

It’s been a busy weekend. Since last week, we’ve seen annoucements from PF Chang’s, AT&T Mobility, and Domino’s Pizza, all with varying levels of disclosure. PF Chang’s looks to be yet another payment card breach while Domino’s Pizza was a privacy-related breach in Europe (no cardholder data apparently disclosed). But the AT&T Mobility one is the kicker with an unknown number of customers impacted, and the big no-no is on this one—social security numbers. Lovely! All that aside, because at this point none of this is really exciting or unexpected, I want to direct your attention to a short and sweet blog post from Mike Rothman who discusses a comparison (with reference) to emergency managers and information security professionals. It’s ...

Continue Reading