January 29, 2008 - #42

Mike's Pep Talk:

I remember many years ago when my Dad was teaching me how to throw and catch. He'd say countless times "keep your eye on the ball." Now the tables are turned and I say a similar mantra as the (thankfully) soft ball bounces off my boys face, chest, and arms.

But this is also an important lesson to learn for not just security folks, but risk managers around the world. The big news this week is the SocGen fraud, where a rogue trader built a fraudulent audit trail to cover $7 BILLION in trading losses. And I though 2001 was a bad year in the market for me.

First of all, I want to make it very clear what this fraud was NOT, and that is an information security issue. When something like this happens, it's amazing how many messages I get from vendors saying, "You need to write something about how [Product X] would have stopped this travesty!"

Not so much. It seems that SocGen had plenty of warnings that the trader was unstable and that he was doing strange things. They just decided to ignore the signs. The information was there, the fact that this guy had a detailed understanding of the risk management process should also have set off alarms.

Even though I haven't seen the show (because I don't get Showtime), I think Dexter is kind of like this. A crime scene investigator would know how to cover up a crime. Likewise, a risk manager would know how to cover up a fraud.

Which once again gets back to the main point, this is not a technology issue. It's a philosophical one. An organization needs to be committed to investigating potential issues, or suffering the consequences. In this case, the consequences come with 9 zeros at the end of it. And other banks around the world shudder and are thankful that it wasn't them. This time, anyway.

Photo credit: Brookenovak

A couple of P-CSO Reviews

The hype around the P-CSO has ebbed and flowed in the 12 months since it's publication. But that doesn't mean folks aren't talking about it. Check out these reviews to get a little more detail on the process and why it's appropriate for even technical folks.

1. RSnake - Application security afficianado Robert Hansen (also known as RSnake) published a review of the P-CSO on the ha.ckers.org site. Money quote:
   
   "It’s not a technical book, it’s a book on changing your thinking to get you ahead of the assailant, in the good graces of your executive staff and into auditory compliance. I’ve run into countless people in the industry who desperately need to read this book so that they too can get a clue. It’s not rocket science. It’s the art of running security like a business. Five stars, Mike!"
   
   
2. Josh Richards - Josh checks out the P-CSO introduction and thinks it's "promising." Cool.
   
   "This appears to be a promising resource with some good food for thought and practical approaches all collected together in one place. And, to boot, the approaches that look to be discussed should be readily applicable beyond IT security, to any IT project."
   
   Yes, it's true. The P-CSO methodology can be applied to almost any IT problem, although it was built with security in mind.
   
   

Thanks guys!

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

---