Wednesday, December 23, 2015
How can we think about the security implications of IoT?
Thursday, December 10, 2015
Awareness is Old News: Make 2016 The Year of Solutions
Wednesday, December 9, 2015
Learning to Tell Security Stories: Better Context For Better Decision Making
Monday, December 7, 2015
Playing It Straight: Building A Risk-Based Approach To InfoSec
Wednesday, November 25, 2015
Building a Narrative-Driven Security Model
Tuesday, November 10, 2015
The Most Important Thing About A Decision
Thursday, November 5, 2015
Mature and Unconfident
Wednesday, October 28, 2015
User-Based Use Cases
Wednesday, October 21, 2015
See Security From The User Perspective
Thursday, October 15, 2015
An Atypical Approach To DNS
Wednesday, September 30, 2015
What Does Security Mean to the "Unwashed Masses"?
Friday, September 18, 2015
7 ways to deal with insider threat
Tuesday, September 15, 2015
Information Security Lessons From Literature
Thursday, September 10, 2015
The Security Operations Hierarchy of Needs
Tuesday, August 25, 2015
We're Looking at Information Sharing The Wrong Way
Thursday, August 20, 2015
Endpoints come in all shapes and sizes
Tuesday, August 11, 2015
Detection May Not Be What You Think It Is
Sometimes, I hear the concept of detection criticized. More often than not, it's not clear to me that the person or organization doing the criticizing actually understands what detection is really all about. There are no silver bullets in security, but the concept and practice of detection are an important part of a holistic and well-rounded approach to risk management. I explain my perspective in my latest SecurityWeek piece: http://www.securityweek.com/detection-may-not-be-what-you-think-it. Hope you enjoy.
Monday, August 10, 2015
Data Visibility: A Matter of Perspective
Thursday, July 23, 2015
Have Our Security Rock Stars Failed Us?
Tuesday, July 21, 2015
Detection: A Balanced Approach For Mitigating Risk
Friday, July 17, 2015
Security is a global problem, right?
Thursday, July 9, 2015
Too Busy For Round Wheels
Ever stop to wonder why life in the SOC seems to be so hectic? I'm sure there are many reasons why this is the case. I've included some thoughts on the topic in my latest SecurityWeek piece: http://www.securityweek.com/too-busy-round-wheels. Hope you enjoy the piece.
Wednesday, June 24, 2015
To The Cloud! What do we have to lose?
Sunday, June 21, 2015
Why encryption can't replace security operations
Thursday, June 11, 2015
Isn't retention as important as recruiting?
Tuesday, June 9, 2015
Security Metrics: It's All Relative
Wednesday, May 27, 2015
Stay Out of the Tunnel to Minimize Risk
The tempation to enter the tunnel can be almost insurmountable. But in the long term, it is much more advantageous to remain strategically focused towards improving the organization's overall security posture. Curious what I'm referring to? Have a look at my latest piece in SecurityWeek: http://www.securityweek.com/stay-out-tunnel-minimize-risk
Wednesday, May 13, 2015
Taking A Security Program From Zero To Hero
Friday, May 8, 2015
Alert fatigue: 6 steps for dealing with constant alerts
Tuesday, May 5, 2015
Security Solutions: Build or Buy?
Wednesday, April 15, 2015
Setting Security Professionals Up For Success
Tuesday, April 14, 2015
Avoiding Tree Rings
Tuesday, March 31, 2015
5 strategies for overcoming the information security skills gap
Thursday, March 26, 2015
Risk-Driven Security: The Approach to Keep Pace With Advanced Threats
Monday, March 23, 2015
Context: Finding The Story Inside Your Security Operations Program
Tuesday, March 17, 2015
Your guide to finding good IT security talent
Wednesday, March 11, 2015
Don't Forget the Rest of the World
Monday, March 9, 2015
Videos of the Narrative-Driven Model
Tuesday, March 3, 2015
Good Things Come in Small Packages
The lesson I would take from my time in Estonia is that good things come in small packages. Small, technologically advanced countries enjoy a few advantages in information security. Here are just a few of them:
Being Nimble: Information security moves at a relentlessly torrid pace. The threat landscape changes constantly. A hulking bureaucracy has no chance. A nation that is small, while having fewer resources, can also be quite agile and use those resources more efficiently.
Recruiting: Small countries generally have small information security communities. And within these communities, everyone usually knows everyone — or at least everyone worth knowing. This can lend a huge advantage to recruiting efforts for a Cyber Defence League. It reduces the time and expense of finding the right people, as well as the risk of making the wrong call in recruiting.
Training and Education: Small countries generally have much more centralized education systems at all educational levels. This lends itself well to both influencing curriculum, as well as to identifying talent. Facing a shortage of skilled information security professionals? Grow them organically. This is much easier done in a small country than a large one.
Visibility: Before a given asset can be protected, we have to know where it is. Because smaller countries have fewer assets in general, it is much easier to keep track of them. Want to protect all of the electrical substations or network ingress/egress points in a small country? Probably doable. In a large country? Good luck finding all that stuff.
Humility: Small countries generally understand that they cannot go it alone. As such, they are much more likely to learn from others and work collaboratively as part of the larger information security community. They are also much less likely to have a “not invented here” syndrome. This comes in quite handy when building and operating a Cyber Defence League faced with the tall order of protecting the nation’s critical infrastructure.
Implementing Changes: In a small country, once a decision has been made to implement a change, it is generally much easier to do so. There is simply less bureaucracy, friction, and inertia to overcome. That can make it much easier to bring about meaningful change within a realistic amount of time.
These are just a few of the many reasons good things come in small packages. Although larger countries have more resources than smaller countries, they can learn a lot from their smaller counterparts. Something to think about if you are involved in cyber defense in your home country, wherever that may be.
Tuesday, February 24, 2015
The House Always Wins
Thursday, February 19, 2015
Penny-Wise, Pound-Foolish
Tuesday, February 17, 2015
5 ways cyber threat intelligence can improve your security
Wednesday, February 11, 2015
Complexity is the Enemy of Security
Why is timely detection and response so difficult?
Friday, February 6, 2015
Caveat Emptor
I was fortunate enough to be invited to speak at a conference earlier this week. Before my talk, I introduced myself briefly, as I typically do. This particular time, it was a new crowd for me, and I did not know many people. I was a stranger to them. As I listened to some of the other talks, something dawned on me, and the idea of caveat emptor crossed my mind repeatedly.
When I introduce myself or talk about my background and experiences, I do so honestly. People who know me and have worked with me in the past will vouch for that. However, as we all know, not all people approach themselves in the same manner. In fact, one speaker's introduction sounded nearly identical to mine. What was the issue? I have come across this individual in the past, and although I do indeed have the experience and skills I say I do, this particular individuals does not possess those same experience and skills. Surely, we have all worked with or crossed paths with individuals like this in the past. Where there's smoke, there's fire - except when there's not.
What's interesting to me is not necessarily that some people choose to embellish or blatantly falsify their backgrounds. What's more interesting to me are two points: a) the rate at which these individuals seem to be appearing in the information security space and b) how hard they make life for the rest of us.
Regarding point a, this is perhaps not surprising. Information security is now a hot field. Whereas ten years ago, we were the obscure, quiet geeks in the corner, today, we are en vogue. With the amount of money being thrown around in our domain of expertise, it's not surprising that there are suddenly countless new "experts" coming out of the woodwork.
Of course, with all these new "experts", it makes life that much more difficult for the rest of us. I realized something very important when this particular speaker introduced himself. To the crowd of strangers we both addressed, we are the same. I'm not sure they can differentiate between who is real and who is not real. At first, you may have an adverse reaction to this statement, but it is an important point. Perception is reality. This is unfortunate, and this is where the caveat emptor point comes in.
If you have ever been in or spoken with someone in a leadership position within an enterprise, you know that all day, every day, "experts" hound them. After a while, all the buzzwords and marketing lingo begin to sound the same. It makes it tough for both the enterprises, who very much need effective help (rather than ineffective or incompetent help), as well as the true information security professionals who are too busy working and solving problems to self-promote and shout above everyone else.
So what can we as a community do? We can provide honest, truthful references and feedback. We can vet people and companies we speak to. We can seek out other opinions. I fear that the days of taking what someone says at face value are slipping away from what was once a very tight and close-knit community. It makes sense to vet. Take care of the good information security professionals you know - they need it. We have entered the days of caveat emptor.