Tuesday, February 24, 2015

The House Always Wins

Why is it that all we ever hear from security organizations is good news, yet problems and challenges still persist within those same organizations?  It's the same reason we hear all about Las Vegas wins, yet the casinos stay in business.  Curious what I'm getting at?  Have a look at my latest piece in Security week entitled "The House Always Wins": http://www.securityweek.com/house-always-wins.

Thursday, February 19, 2015

Penny-Wise, Pound-Foolish

It often amazes me how many people don't understand the value in building and maintaining long-term relationships built on trust.  To some people, if there is a dollar to be made in the moment, or a favor to be extracted at the current time, that trumps all.  Of course, behaving this way erodes trust and sacrifices any chance of an enduring relationship.  It's a penny-wise, pound-foolish way to behave.

In the information security realm, this is all the more true.  Most of us spend years building and maintaining long-term relationships because we understand that the information security community is built on trust.  It can often be tempting to sacrifice this trust for a short-term monetary return or a favor.  But, in the long run, this is a foolish way to behave.  After all, at the end of the day, our relationships and our reputations are essentially our careers.

As the old saying goes: Fool me once, shame on you; fool me twice, shame on me.  There is much truth in this.  We all know what happens when someone optimizes for the short-term.  The next time that person calls, no one answers the phone.  We are all human, and we all err from time to time.  When we err in this manner, we should own up to it when called on it.  Believe it or not, that actually helps restore trust.  Certainly moreso than dancing around the truth or trying to distract those who are questioning us.  That seldom fools anyone, despite how politely they may behave in reaction to these tactics.

The information security community is close and tight-knit.  None of us can afford to have no one answer the phone the next time it rings.  It pays to think about that the next time we consider substituting short-term gain for long-term trust.  It's penny-wise, pound-foolish.

Tuesday, February 17, 2015

5 ways cyber threat intelligence can improve your security

My latest piece in The Business Journals entitled "5 ways cyber threat intelligence can improve your security" is out.  Threat intelligence is a hot topic these days, but how can organizations wade through the hype and into the intelligence sea?  How can we make order out of the chaos?  My thoughts in this latest piece: http://www.bizjournals.com/bizjournals/how-to/technology/2015/02/how-cyberthreat-intelligence-can-improve-security.html.  Hope you enjoy.

Wednesday, February 11, 2015

Complexity is the Enemy of Security

I'm sure we've all heard the sound bite "complexity is the enemy of security" from time to time.  It's a popular, attention-grabbing phrase, but what can we learn from it?  My thoughts on the topic in my latest SecurityWeek piece: http://www.securityweek.com/complexity-enemy-security.  After all, the point of any sound bite should be to stimulate thought, discussion, and ideas, right?

Why is timely detection and response so difficult?

Why is timely detection and response so difficult?  People often ask me that question, so I put down my thoughts in this piece in IT Security Guru: http://www.itsecurityguru.org/gurus/breaking-barriers-improved-detection-response/#.VNtR1Fqf_Vt.  Timely detection and response is indeed a big challenge confronting organizations.  The good news is that there are practical, applicable steps that can be taken to improve the status quo.  I hope you agree and find tidbits you can leverage operationally.

Friday, February 6, 2015

Caveat Emptor

Although I'm not a Latin speaker, I am quite aware of the phrase "caveat emptor".  This phrase is most often translated as "let the buyer beware".  There are many contexts in which this phrase is appropriate, most notably when discussing contracts or legally binding agreements.  Unfortunately, I would argue that the phrase is becoming increasingly important in the field of information security.  What do I mean by this?  Allow me to explain.

I was fortunate enough to be invited to speak at a conference earlier this week.  Before my talk, I introduced myself briefly, as I typically do.  This particular time, it was a new crowd for me, and I did not know many people.  I was a stranger to them.  As I listened to some of the other talks, something dawned on me, and the idea of caveat emptor crossed my mind repeatedly.

When I introduce myself or talk about my background and experiences, I do so honestly.  People who know me and have worked with me in the past will vouch for that.  However, as we all know, not all people approach themselves in the same manner.  In fact, one speaker's introduction sounded nearly identical to mine.  What was the issue?  I have come across this individual in the past, and although I do indeed have the experience and skills I say I do, this particular individuals does not possess those same experience and skills.  Surely, we have all worked with or crossed paths with individuals like this in the past.  Where there's smoke, there's fire - except when there's not.

What's interesting to me is not necessarily that some people choose to embellish or blatantly falsify their backgrounds.  What's more interesting to me are two points: a) the rate at which these individuals seem to be appearing in the information security space and b) how hard they make life for the rest of us.

Regarding point a, this is perhaps not surprising.  Information security is now a hot field.  Whereas ten years ago, we were the obscure, quiet geeks in the corner, today, we are en vogue.  With the amount of money being thrown around in our domain of expertise, it's not surprising that there are suddenly countless new "experts" coming out of the woodwork.

Of course, with all these new "experts", it makes life that much more difficult for the rest of us.  I realized something very important when this particular speaker introduced himself.  To the crowd of strangers we both addressed, we are the same.  I'm not sure they can differentiate between who is real and who is not real.  At first, you may have an adverse reaction to this statement, but it is an important point.  Perception is reality.  This is unfortunate, and this is where the caveat emptor point comes in.

If you have ever been in or spoken with someone in a leadership position within an enterprise, you know that all day, every day, "experts" hound them.  After a while, all the buzzwords and marketing lingo begin to sound the same.  It makes it tough for both the enterprises, who very much need effective help (rather than ineffective or incompetent help), as well as the true information security professionals who are too busy working and solving problems to self-promote and shout above everyone else.

So what can we as a community do?  We can provide honest, truthful references and feedback.  We can vet people and companies we speak to.  We can seek out other opinions.  I fear that the days of taking what someone says at face value are slipping away from what was once a very tight and close-knit community.  It makes sense to vet.  Take care of the good information security professionals you  know - they need it.  We have entered the days of caveat emptor.