Announcement

Collapse
No announcement yet.

Interesting Website

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Interesting Website

    This site keeps tabs on information security breaches.

    Doesn't look like we've progressed one inch in locking down confidential information.
    "Every betrayal begins with trust." - Brian Jacques

    "I can't predict the future, but I know that it'll be very weird." - Anonymous

    "There is nothing new under the sun." - Ecclesiastes 1:9

    "History, with all its volumes vast, hath but one page." - Lord Byron

  • #2
    Originally posted by SecTrainer
    This site keeps tabs on information security breaches.

    Doesn't look like we've progressed one inch in locking down confidential information.
    SecTrainer, I respectfully disagree with your comment. We have indeed made tremendous strides in the opposite direction. Add to all of that today's revelation that a hard disk went missing from DOT's TSA. To assuage employee concerns, DOT has offered three years of free credit report checks for all of TSA's employees.
    Enjoy the day,
    Bill

    Comment


    • #3
      Originally posted by Bill Warnock
      SecTrainer, I respectfully disagree with your comment. We have indeed made tremendous strides in the opposite direction. Add to all of that today's revelation that a hard disk went missing from DOT's TSA. To assuage employee concerns, DOT has offered three years of free credit report checks for all of TSA's employees.
      Enjoy the day,
      Bill
      It is, perhaps, the pace of technology as much as anything else that pushes us, as you observe, "in the opposite direction". The advent of the laptop, for instance, made it possible for large amounts of data to be stolen from car trunks and public bathrooms. The advent of the "USB thumb drive" makes it possible to carry off entire databases in the cuff of your pants, or on your keychain (and many of these are disguised as pens, lipsticks, etc.)...the list could go on and on. No sooner do we barely begin to understand the nature of the threat that some "new technology" presents, let alone how to deal with it, than another "new technology" comes along. And, of course, the hackers enjoy the advantage of being able to act while we are forever reacting.
      "Every betrayal begins with trust." - Brian Jacques

      "I can't predict the future, but I know that it'll be very weird." - Anonymous

      "There is nothing new under the sun." - Ecclesiastes 1:9

      "History, with all its volumes vast, hath but one page." - Lord Byron

      Comment


      • #4
        Originally posted by SecTrainer
        It is, perhaps, the pace of technology as much as anything else that pushes us, as you observe, "in the opposite direction". The advent of the laptop, for instance, made it possible for large amounts of data to be stolen from car trunks and public bathrooms. The advent of the "USB thumb drive" makes it possible to carry off entire databases in the cuff of your pants, or on your keychain (and many of these are disguised as pens, lipsticks, etc.)...the list could go on and on. No sooner do we barely begin to understand the nature of the threat that some "new technology" presents, let alone how to deal with it, than another "new technology" comes along. And, of course, the hackers enjoy the advantage of being able to act while we are forever reacting.
        Agreed; however, many government and private sector security programs are mere window dressing. SecTrainer, they talk a good game and that is all. When queries are made, "Stock answers are: "We have formed a blue ribbon committee to assess the problem." or "We are drafting security proposals for consideration and subsequent implementation by the department." or "We are doing the best job possible given the enormity of the problems." and my favorite "We have cautioned employees to do a better job."
        We just staff it to death.
        In my judgment, no progress.
        Enjoy the day,
        Bill

        Comment


        • #5
          Absolutely dead on the money, Bill. It is like just about everything else where security is concerned...gloss it over, shine it on, and pass the buck. They're forever putting lipstick on the pig and passing her off at the family picnic as Aunt Rose in an effort to conceal the fact that Aunt Rose, being the lively sort, is actually in the slammer doing 90 days for solicitation.
          Last edited by SecTrainer; 05-05-2007, 03:41 PM.
          "Every betrayal begins with trust." - Brian Jacques

          "I can't predict the future, but I know that it'll be very weird." - Anonymous

          "There is nothing new under the sun." - Ecclesiastes 1:9

          "History, with all its volumes vast, hath but one page." - Lord Byron

          Comment


          • #6
            Originally posted by SecTrainer
            Absolutely dead on the money, Bill. It is like just about everything else where security is concerned...gloss it over, shine it on, and pass the buck. They're forever putting lipstick on the pig and passing her off at the family picnic as Aunt Rose in an effort to conceal the fact that Aunt Rose, being the lively sort, is actually in the slammer doing 90 days for solicitation.
            SecTrainer, I would like someone to define what the terms, "Sensitivity" Criticalityl" and/or "Vulnerability" mean in determining the need of security resources? Should not the answers to these three items determine the threat level and what is required to protect a particular asset?
            Enjoy the day,
            Bill

            Comment


            • #7
              Originally posted by Bill Warnock
              SecTrainer, I would like someone to define what the terms, "Sensitivity" Criticalityl" and/or "Vulnerability" mean in determining the need of security resources? Should not the answers to these three items determine the threat level and what is required to protect a particular asset?
              Enjoy the day,
              Bill
              Bill, I like the notion of "security drivers" developed by Kovacich and Halibozek in Security Metrics Management (2006. Elsevier). This incorporates the more traditional risk management analysis based on assets, threats, vulnerabilities, probabilities and cost, but moves beyond these "risk drivers" that we might define in that traditional way, considering other security drivers, such as legislation, regulatory mandates, contractual mandates, and organizational strategy. Any of these can radically alter the priorities that are developed using the "traditional" risk-based approach alone.

              I recommend this book, incidentally. It is among the few that tackle the business realities that ultimately decide the fate of everything we do. The "security driver" approach, by considering drivers other than those associated exclusively with vulnerabilities, threats, etc., is in line with a number of surveys that indicate that CSO's must learn how to mesh their programs with the larger interests of the organization.

              Along those lines, I was very impressed with the job description posted elsewhere on the forum earlier this week for the position of Senior Manager of Security Operations for Disney, of which I'll just repeat some of the elements here. It is the most insightful job description for such a position that I have ever seen. I'll omit the obvious list items, and underline several that have particular relevance to the "driver" approach to security management:

              JOB DESCRIPTION

              ....The Director will employ a strong strategic and analytical approach in recommending, developing, implementing and overseeing corporate policies and procedures, maximizing the value of centralized services, building consensus among business units and creating synergy.

              Primary Functions and Responsibilities

              • Accomplish department objectives by establishing action plans, timetables, and outcome measurements; obtaining and allocating resources; reviewing progress; making mid-course corrections.

              • Achieve financial objectives by establishing objectives; developing and monitoring budgets; controlling and reducing costs; optimizing use of department assets.

              • Contribute to team effort by offering information and opinion as a member of senior management; integrating objectives with other functions; accomplishing special projects as needed.

              • Maintain department results by recruiting and selecting key managers; coaching, counseling, and disciplining managers; planning, monitoring, and appraising job results.

              • Solidify existing relationships with law enforcement liaisons, Line of Business executives by actively engaging in dialogue and by supporting key initiatives and activities.

              • Work closely on construction and real estate projects, providing appropriate security recommendations and support.

              Knowledge and Skills

              • Demonstrated track record in dealing with the effective communication of complex organizational and human resource issues

              • Assimilates and synthesizes information rapidly and recognizes the complexity in issues, challenges assumptions and faces up to reality

              • Continually searches for ways to add value and to position the organization for future success

              • Deals effectively with ambiguity and learns from success and failure

              • Demonstrates resiliency and sound judgment in dealing with business and corporate challenges

              • Demonstrated track record of partnering with various (internal)organizations within the corporate environment to achieve specific goals and objectives

              Strong business knowledge and acumen

              Links functional strategy with larger organizational strategy

              • Capable of handling multiple, complex and paradoxical situations

              One of these might seem very odd to expect of the security manager - that he should be able to "add value and position the organization for future success". Ordinarily, we'd consider this to be the job of the CEO and the Board of Directors, and certainly it is at Disney as well, I'm sure. But to include the security manager in this objective suggests to me that the people running Disney are alive to the fact that security *can* add value, and that security *can* impact the organization's competitive position.

              The bottom line, then, is that while the three elements you mention are useful in determining risk, we cannot allot resources or design programs based on risk alone. There are other drivers that must be accommodated as well. At the end of the day, I think that the successful security program is one that moves the company forward, even if sometimes (as is likely) it doesn't strictly adhere to the "ranked order of risks" as defined by traditional methods.
              Last edited by SecTrainer; 05-05-2007, 11:41 PM.
              "Every betrayal begins with trust." - Brian Jacques

              "I can't predict the future, but I know that it'll be very weird." - Anonymous

              "There is nothing new under the sun." - Ecclesiastes 1:9

              "History, with all its volumes vast, hath but one page." - Lord Byron

              Comment


              • #8
                Originally posted by SecTrainer
                I like the notion of "security drivers" as developed by Kovacich and Halibozek in Security Metrics Management (2006. Elsevier). This incorporates the more traditional risk management analysis based on assets, threats, vulnerabilities, probabilities and cost, but moves beyond these "risk drivers" that we might define in that traditional way, considering other security drivers, such as legislation, regulatory mandates, contractual mandates, and organizational strategy. Any of these can radically alter priorities that are developed using the "traditional" risk-based approach alone.
                Thank you SecTrainer that is concrete advice and well worth the read. I just wonder if that will catch on?
                Bill

                Comment


                • #9
                  Originally posted by Bill Warnock
                  Thank you SecTrainer that is concrete advice and well worth the read. I just wonder if that will catch on?
                  Bill
                  I believe it is catching on, Bill. The front cover of the most recent issue of Security Magazine (5/07) has this blaring headline: "CEOs now give security wished-for attention but scrutiny comes with it. See how CEO's score their security operation and if they like what they see". The article itself is very interesting, but one of the conclusions that is inescapable is that CEOs believe the security function should (and logically, then, we must presume they believe it can) contribute to the strategic success of the organization.

                  To me, this represents a significant shift from the "what's it costing me?" attitude we've all talked about.
                  "Every betrayal begins with trust." - Brian Jacques

                  "I can't predict the future, but I know that it'll be very weird." - Anonymous

                  "There is nothing new under the sun." - Ecclesiastes 1:9

                  "History, with all its volumes vast, hath but one page." - Lord Byron

                  Comment

                  Leaderboard

                  Collapse
                  Working...
                  X