Tuesday, March 31, 2015

5 strategies for overcoming the information security skills gap

It's no secret that there is a large skills gap in information security.  How can an organization overcome that gap?  I share my thoughts on this important topic in The Business Journals: http://www.bizjournals.com/bizjournals/how-to/technology/2015/03/overcoming-the-info-security-skills-gap.html.

Thursday, March 26, 2015

Risk-Driven Security: The Approach to Keep Pace With Advanced Threats

Intelligence-driven security or risk-driven security?  What say you?  I shared my thoughts on the topic in my latest SecurityWeek piece: http://www.securityweek.com/risk-driven-security-approach-keep-pace-advanced-threats.  Interested in hearing your thoughts on the topic.

Monday, March 23, 2015

Context: Finding The Story Inside Your Security Operations Program

The first of what I hope will be a regular series of DarkReading pieces was published today: http://www.darkreading.com/vulnerabilities---threats/context--finding-the-story-inside-your-security-operations-program/a/d-id/1319574?.  In the piece, I discuss the importance of context and of building a narrative to better facilitate security operations.  This is a topic that is missing from the security operations dialogue in my opinion.  Hope you enjoy the piece, and that it provokes thought and dialogue.

Tuesday, March 17, 2015

Your guide to finding good IT security talent

Information security is a career field full of many challenges.  One of the greatest strategic challenges most organizations face is finding qualified information security talent.  This is partially due to a shortage of qualified and experienced labor, but also partially due to the difficulty in assessing candidates during the interview process.  My thoughts on this topic in my latest piece in The Business Journals: http://www.bizjournals.com/bizjournals/how-to/human-resources/2015/03/your-guide-to-finding-good-it-security-talent.html.  Hope you enjoy.

Wednesday, March 11, 2015

Don't Forget the Rest of the World

I've always found it interesting how in a global company, the security program can be overwhelmingly focused on the home geography of the company.  It's important to remember the rest of the world, especially in security operations: http://www.securityweek.com/security-operations-dont-forget-rest-world.  I hope you enjoy this piece and find it helpful.

Monday, March 9, 2015

Videos of the Narrative-Driven Model

People often ask me to elaborate on the topic I am the most passionate about: "Security Operations: Moving to a Narrative-Driven Model".  Of course, there is my piece in SecurityWeek on the topic (http://www.securityweek.com/security-operations-moving-narrative-driven-model), but that merely scratches the surface of a deep topic.  I am always more than happy to discuss the topic at length, but there are also a few recordings of talks I've given on the topic that are available.  Each of the talks targets a different audience, and as such, they vary in length and technical depth.

Video of my talk on "Security Operations: Moving to a Narrative-Driven Model" at the 4th Annual Cyber Security Conference, Tel Aviv, Israel, September, 2014: https://www.youtube.com/watch?v=m0BO_NlFtkA

Video of my talk on "Security Operations: Moving to a Narrative-Driven Model" at DeepSec 2014, Vienna, Austria, November, 2014: https://vimeo.com/117110626

Video of my talk on "Security Operations: Moving to a Narrative-Driven Model" to the CU Boulder Master of Infosec Colloquium, Boulder, CO, USA, March, 2015: https://echo360.colorado.edu:8443/ess/echo/presentation/36beff23-8aad-40b5-ab65-d4623e7d80d0

I hope that the videos do justice to what I consider to be an important concept for the future of security operations.

Tuesday, March 3, 2015

Good Things Come in Small Packages

Recently, during a discussion on Twitter, Richard Bejtlich asked me to blog about my experiences working with the Estonian Cyber Defence League (Eesti Küberkaitseliit).  I visited them for a week back in 2009, and I was quite impressed with what I saw then.  I have no doubt that they have made great progress in the six years since.

The lesson I would take from my time in Estonia is that good things come in small packages.  Small, technologically advanced countries enjoy a few advantages in information security.  Here are just a few of them:

Being Nimble: Information security moves at a relentlessly torrid pace.  The threat landscape changes constantly.  A hulking bureaucracy has no chance.  A nation that is small, while having fewer resources, can also be quite agile and use those resources more efficiently.

Recruiting: Small countries generally have small information security communities.  And within these communities, everyone usually knows everyone — or at least everyone worth knowing.  This can lend a huge advantage to recruiting efforts for a Cyber Defence League.  It reduces the time and expense of finding the right people, as well as the risk of making the wrong call in recruiting.

Training and Education: Small countries generally have much more centralized education systems at all educational levels.  This lends itself well to both influencing curriculum, as well as to identifying talent.  Facing a shortage of skilled information security professionals?  Grow them organically.  This is much easier done in a small country than a large one.

Visibility: Before a given asset can be protected, we have to know where it is. Because smaller countries have fewer assets in general, it is much easier to keep track of them.  Want to protect all of the electrical substations or network ingress/egress points in a small country?  Probably doable.  In a large country?  Good luck finding all that stuff.

Humility: Small countries generally understand that they cannot go it alone.  As such, they are much more likely to learn from others and work collaboratively as part of the larger information security community.  They are also much less likely to have a “not invented here” syndrome.  This comes in quite handy when building and operating a Cyber Defence League faced with the tall order of protecting the nation’s critical infrastructure.

Implementing Changes: In a small country, once a decision has been made to implement a change, it is generally much easier to do so.  There is simply less bureaucracy, friction, and inertia to overcome.  That can make it much easier to bring about meaningful change within a realistic amount of time.

These are just a few of the many reasons good things come in small packages.  Although larger countries have more resources than smaller countries, they can learn a lot from their smaller counterparts.  Something to think about if you are involved in cyber defense in your home country, wherever that may be.