May 21, 2007 - Volume 2, #82
Good Morning:
On Thursday I ranted a bit about being more mellow and maybe doing less work and more play. Ah, the best laid plans as it is now Sunday afternoon and I'm cranking out the newsletter. Yes, I'm cheating - but there is a good reason. The rest of my Sunday and Monday morning are chock full of family stuff - so there!
After the morning with the kids (as the Boss and her Mom went to a show), this is the only time until tomorrow night that I'll have to do much of anything. Once I'm done with this, we'll be heading off to the park to enjoy this glorious day. Then the Boss and I are going to see Ty Barnett [1]. It's been way too long since we've seen live comedy, so it'll be nice to get a few laughs in before the mayhem of the week kicks in.
Tomorrow is no better, since bright and early my oldest's school is kicking off Field Day with some type of opening ceremony, where Leah is singing. She was practicing all through lunch, so I'm sure she'll be great. Then it's off to a meeting, then to the airport, and back on the road for a couple of days. That's why an hour of so of Sunday is all you get.
Enough about me (even if it is my favorite topic), let's talk a bit about metrics. I moderated a very cool panel at the All-Ohio InfraGard/ISSA/ISACA conference in Columbus on Friday. Along for the ride were Steve Weber of Cardinal Health, Jack Jones of CBC Companies (who also moonlights in working with Alex Hutton at Risk Management Insights [2]), and Jerry Bowman, a physical security consultant who has also done some IT security in the past. These guys were great, but their focus wasn't on traditional metrics - it was on "risk management." Yep, I tried to nail each of the guys down on what that really meant, but defining it is hard. Jerry had a great response because in his world, risk management means a body count of zero.
Steve Weber talked about the importance of getting an early win. After spending a few years tackling infrastructure security issues, he'd have taken a different path if he had to do it all over again. He's very focused on the application layer now and figuring out how to show security improvement along those lines. He would have focused on the application layer much sooner because with the scale of his organization, it took him years to lock down the infrastructure and there is still work to be done. He needed an early win and told everyone in the crowd to find something that can be fixed quickly. Take a baseline and show improvement FAST. This was great advice.
Jack Jones focused a lot on the need to quantify to the level of your audience. He works in insurance and obviously those folks don't see even a $10 million dollar loss as very significant. They have claims for that pretty much every day based on fender-benders. So he needed to make sure he quantified everything and could substantiate his numbers. More great advice.
But the biggest message I took from the panel was the criticality of presenting information about risk to business people in business terms. Then THEY can make business decisions about what is an acceptable risk to take. As I've long said, the answer is out there, not in your head. Our job as security professionals is to make sure the business people have enough information to make a reasoned decision.
Have a great day.
Technorati: Information Security [3], CSO [4]
 [5]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6] | Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast)  [7] |
Top Security News
Michelle [8], then Alan [9], then Michelle [10], then Alan [11]). We have become entirely too civilized in security blog land of late. But they were really playing off of a recent Network Computing survey about the state of NAC [12]. Unfortunately they are still only asking questions about pre-admission control. The article isn't half bad and the graphs at the end show some interesting data (like Cisco is far and away the mindshare leader in NAC), if your viewpoint is restricted to that focus. Unfortunately (for Alan anyway), I happen to be largely in Michelle's camp, which is that NAC becomes interesting after you've connected to the network. But by most accords, it seems the pre-admission side is heating up as the vendors (besides Caymas, I guess) are all telling my about record quarters, huge pipelines, blah blah blah blah. But since I believe pretty much nothing that most vendors tell me, I did triangulate the data a bit. The users and resellers are also telling me of increased interest, but it's still about kicking tires and figuring out the best way to solve the variety of problems that NAC purports to solve. I still think we will look back in 12 months and talk about how NAC hasn't lived up to the hype, my position on that hasn't changed.
Link to this [12]
interview in Network Computing [13] was a treat. If only Marty said anything. First he starts off by talking about the "perfect storm" that resulted in FIRE's Q1 miss. I guess if you blow a hole in your own hull with a Howitzer [14] than that qualifies as a perfect storm. But I've beaten that one to death already. Then Marty goes to debunk myths that FIRE is only about IDS. Right, they do RNA and other monitoring,SIM and other type of stuff. Blah blah blah. I think the only nugget that was sort of interesting is how Marty describes the power of the open source community. He's right, IF (and that is a huge friggin' IF) a company can get other folks to contribute. Most open source initiatives are pretty much a Go2Market strategy for a vendor looking to be "different". Sourcefire is one of the unique companies that have actually built a business and managed to keep the community alive and engaged. But new companies are trying every day, and pretty much all of them will fail.
Link to this [14]
Ponemon survey [15] was commissioned by a Dallas law firm that drew the conclusion that - are you sitting down? - encryption would have saved most of the respective asses of the respondents when a data breach hits. Yeah, that's news. But there were actually some interesting data points in here. Only 43% had an incident response plan. And 82% failed to consult with legal counsel before responding to an incident. I guess this survey was sponsored by a law firm. Can you imagine the nerve of those security folks? To actually move decisively to contain an incident, as opposed to wait for your $400/hr lawyer to show up. Off with their heads, I say. But actually that 43% number bothers me. A key tenet of the P-CSO is to make sure you live to fight another day. How can you do that, if 57% of those folks out there don't have any plan to respond to an incident. Whether it's 43% or 80% of folks with a documented plan doesn't matter. You better be in the right bucket. You'll thank me later.
Link to this [15]
The Laundry List
No laundry today
Top Blog Postings
http://blogs.ittoolbox.com/security/investigator/archives/my-csirt-plan-has-fallen-and-it-cant-get-up-16310 [16]
Link to this [16]
http://thurston.halfcat.org/blog/2007/05/18/risk-of-what-more-reasons-not-to-manage-risk/ [17]
Link to this [17]
http://www.darkreading.com/document.asp?doc_id=124401 [18]
Link to this [18]