Michael Daniel, the current White House cybersecurity coordinator, recently admitted to lacking technical know-how; i.e. he can’t code and doesn’t feel the need to learn to do so. Those who have the technical expertise and think it’s important have lit up the Internet with their cries, making it clear that they do not approve.
Does it matter that Michael Daniel can’t code? Read More…
In my earlier post, “Security is Not the Point,” I explained why to most people security is an annoying layer of cost and inconvenience. I said that no one wants security, they want the benefits of security. But if security is not the point, what is?
The last time you had to do some tedious paperwork, you were no doubt muttering under your breath that you’d rather be doing the actual project and not filling out forms and writing a report. We are all like that. Documenting tasks and processes is not fun.
Compliance is like that, too. It is considered the necessary evil, the tedious paperwork required by “the powers-that-be” to meet some basic level of due care. Compliance requirements define the “minimums” for demonstrating that the business is being run responsibly.
However, compliance has a more attractive cousin. Read more HERE.
I have a new client, a billion-dollar service company, whose CIO is going to test my skills. He is suspicious about security and risk management, and questions everything. I should be happy, but I’m not. I should be happy because his questions mean he’s engaged – antagonistic is better than apathetic I always say. He’s willing to hear my arguments about the value security brings to the business, but he’s stubborn. How am I going to win him over? READ my answer HERE.
Most organizations have struggled for years with just cleaning and prioritizing security alerts generated from numerous point products. The value proposition for SIEM products was couched in terms of correlation and prioritization, but SIEM has only succeeded in checking a compliance box without addressing the problem of advanced persistent threats. Stopping targeted attacks in the shortest time possible is now the top priority for advanced security solutions. Read the tips HERE
Every Chief Security Officer, CISO, and risk manager I know believes that their security and risk operation has strengths and weaknesses; in some areas best practices reign supreme, and in others the blunders threaten catastrophe. If managing risk were merely a matter of crafting great policies, we’d read about very few security failures indeed. Unfortunately, managing risk and security always plays a wildcard: the security personnel. How can we ensure that our security teams are putting their best efforts toward the objectives of the department and the business?
Join us for another SecurityDreamer cocktail party at the beginning of the ASIS conference in Atlanta, September 28. Start here before you walk over to Canada Night. Open bar and food. Contact me for an invitation HERE
Sponsored by Modulo
I am a guest blogger at a number of other sites. Here is a sampling a some of my recent posts.
The greatest threat to data is also the least studied
Physical loss of information was difficult to quantify, so said the editors of the 2014 Verizon Data Breach Investigations Report (DBIR2014) that came out this month. That imprecision is why your cyber security precautions mean squat against the gargantuan physical risk you face.
The report, anxiously awaited each Spring, this year included a summary of ten years of breach data. Among the findings is a section on Physical theft and loss. The editors described physical loss of information not sexy and “cyber-y,” and the numbers about this type of information leakage a little iffy. However, they rightly point out that physical loss is among the most common causes of data loss/exposure.
In short, they claim that one of the most common types of information loss is also the least measurable. Read it here
Balanced Scorecard for Security
Security executives who’ve used the Balanced Scorecard over the years, set their IT budgets by first determining the strategic role that security will play in the organization, then established a companywide funding level that enables security programs to fulfill that objective. Since the first step in implementing a Balanced Scorecard starts with strategy, it follows that this can be an effective method for aligning security with that strategy. Read it here.