logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

Pragmatic CSO Weekly #28

By Mike Rothman
Created 2007-09-18 21:09
Pragmatic CSO Weekly

September 18, 2007 - #28

Mike RothmanMike's Pep Talk:

"Parents must lead by example. Don't use the cliche; do as I say and not as I do. We are our children's first and most important role models."

- Lee Haney

Security Mike's Guide to Internet Security [1]

I'm happy to tell all of you Pragmatic CSO's that my second product was announced yesterday. You can check out the post on my Security Incite blog [1]. It's called Security Mike's Guide to Internet Security [2] and it helps consumers protect themselves and their kids from hackers, identity thieves, and other online mayhem.

There is good news and bad news regarding the Guide. The good news is that this product is really needed. I did a lot of research to put together a list of resources to help consumers do security and I couldn't. It wasn't that there wasn't stuff out there, but it wasn't very good. The bad news? The project isn't really for Pragmatic CSO's. You should know all of this already. Hopefully you already communicate this information with the people important to you, and maybe even some that aren't that important. 

Yet, I've heard from some of you already (who are on the Daily Incite list) and you mentioned that you are buying copies for family and friends, so they stop annoying you to clean up their machines.

But that's not the point. Today I want to address whether we, as Pragmatic CSO's, have a responsibility to spread the gospel about good security habits, even though it's painful. I have to come clean and admit that I wasn't very good about this until I decided to do the Security Mike project. I pretty much kept my mouth shut because it was easier. I know lots of my friends probably have problems, but I don't like to talk about work with my social circle, so I kind of avoided the topic.

I'll be the first to admit that this was (and IS) the wrong thing to do. We have to lead by example (as described in the quote above) and we also have to evangelize good security practices in the home for all the people we know. Sometimes that's challenging because many of our friends and family aren't really technically sophisticated. You know, they don't get it, and it's painful to try to get them there.

But we have to press forward anyway and Security Mike's Guide is my attempt to do that. I'm actually giving copies to many of my friends, so they can go through the process. I'll be there to support them. It's the right thing to do. I'm also going to talk to many of their kids and reinforce what their parents should already be discussing. Finally, I'm going to start approaching local school districts to address middle schoolers and high schoolers to educate and talk about these issues.

Someone's got to do it, and it may as well be me.

You can't be just a half-assed security person. It's not enough to do the right thing for our jobs. We need to do the right thing for our neighborhoods. As I said on the Security Mike homepage, we need to start a grass roots effort to cut off the oxygen (read money) from the crime lords and change the economic model for spam, phishing and other attacks.

Join me and let's set the right example for our friends, family and kids. 

In this week's issue:

Pragmatic CSO [3] methodology is all about containing the damage of an incident. It's going to happen to you sooner or later, so you better be ready. That means having your plan documented, practiced and ready to go. Do you wonder if anyone actually does that and successfully? Of course they do, but it's usually hard to get security folks talk about it publicly because it rehashes old, bad memories about the incident in question.

Check out this NetworkWorld article [4], which covers a session at the recent Security Standard show presented by Boston College's CSO. It's good stuff. The fact that the institution is religious in nature means David Escalante didn't have to make too much of a case to do the right thing, but still. Reacting quickly, figuring out what happened, but most of all - COMMUNICATING quickly and effectively were keys to the success.

The CIO pulled together a cross-discipline team to manage the disclosure, clean-up and communications efforts. That is critical because legal, PR, and other senior management needs to be involved in the process AS EARLY AS POSSIBLE. Keep in mind that the clock is ticking and time is measured in HOURS, not months.

Take Monster, for instance, who waited for 5 days before notifying customers of the breach. They needed more information before they communicated anything, but they were also roasted in the press for it. 

So the faster you can get the word out and re-establish the perception of control - the better it's going to be for you (and your job).

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today. 

 

BUY the Book [5] Buy the PDF [6]

 


Source URL:
http://securityincite.com/blog/mike-rothman/pragmatic-cso-weekly-28

Links:
[1] http://tdi.securitymike.com
[2] http://tdi.securitymike.com
[3] http://www.pragmaticcso.com
[4] http://www.networkworld.com/news/2007/091007-boston-college-data-breach-recover.html
[5] http://www.easywebautomation.com/app/javanof.asp?MerchantID=96205&ProductID=3353313
[6] http://www.easywebautomation.com/app/javanof.asp?MerchantID=96205&ProductID=3362116