You can't secure what you don't acknowledge.SM

Thursday, October 2, 2008

The gaping hole that most organizations have

Certain organizations have an incident response plan...And many people in management know that one needs to be in place. Of those that do have a plan, I have YET to see one that has a public relations component. You know those pesky news ferrets that will no doubt be calling, emailing, and worse shoving a microphone in your face when a breach occurs??

Well, here's a good little piece on this very topic in the context of healthcare and HIPAA but it applies across the board.

If you don't have a PR plan - make it happen. You don't want to be caught with your pants down - literally - on this one.

Yet another law protecting patient privacy

I'm all for holding businesses and their employees accountable for their actions. But is this new law in California just another case of not enforcing existing laws?? I know this is a state law but what about HIPAA too?

Wednesday, October 1, 2008

Cool site for tracking impending disasters

During Hurricane Ike I came across a really neat site for tracking storms in the tropics and onto our soil here in the U.S. It's called Stormpulse. It has an awesome interface and lots of good information to help you plan and execute emergency procedures if your organization is going to be affected. Certainly a worthy tool in any DR/BC toolbox.

Wonder how much Cisco spent on this study...

Alert, Alert! Cisco has finally found the cause of information security problems! Apparently *employees* are the culprit. So...humans are the root cause of all this stuff we live and breath every day after all. Oh and apparently we need to focus more on awareness...You think??

I believe this was a case of some Cisco employees needing to do some busy work to justify their existence in the company. Amazing use of resources.

Read more about the "breaking news" here.

Tuesday, September 30, 2008

Use wisely your power of choice

In reference to my post from yesterday about the human desire for instant gratification and our government rewarding failure with this attempt at economic bailout I thought of another thing that has really helped me over the years. It's Og Mandino's short and sweet quote: "Use wisely your power choice."

These five words - when taken to heart and followed closely - can help drive every decision you make towards a positive outcome and instill the personal responsibility needed to be successful.

Decide to use it wisely...

Free CISSP training

For those of you looking into obtaining the CISSP certification, here's a link to some free CISSP exam prep offered up by SearchSecurity.com and taught by Shon Harris - a well-known expert in this area. It's not all you'll need in preparing for the exam but it's a good start and the price is right.

Job sites focused on MCPs

If you're a Microsoft Certified Professional, here's a list of job sites tailored for you...

Also be sure to check this link for previous posts of mine about security-related job sites.

Monday, September 29, 2008

Fight the desire for instant gratification

Here in Atlanta we have a pretty serious situation with gas. Some refineries in Louisiana and Texas (where Georgia gets approx. 85% of its fuel) are still out of commission from Hurricane Ike. There are numerous other issues contributing to the problem as well including the Federal Clean-Air Act requiring gasoline sold in our local market to meet stringent EPA enforced air quality standards which makes it more difficult for gas stations to get and keep the gasoline we need here in the metro area.

So, given all of this I've noticed some really interesting behavior among my neighbors and even my own family members. They are literally following the gas trucks around, calling every gas station in the area to see when/where they can go top off their tanks. Yes, ladies and gentlemen, I said top off their tanks. They have such a strong desire to NOT get below full that they're constantly going to the gas stations to refill. And you wouldn't believe the lines! People are waiting up to 2 hours to get gas. Here are some telling photos that still don't do the problem much justice.

Then we've got politicians shouting "price gouging" from the rooftops which prevents the free market from working the way it should. Apparently we're going to have this problem for another two weeks. If these vote-hungry and economically-ignorant leaders of ours would allow the free market to work its magic, gas prices would go up and the immediate-gratificationers would stay home and stop sucking up all the gas which would allow people like myself who actually need it to get it! I've been searching for the past week and can't find any. I'm now having to work from home but I'm not complaining too much....that is until I have to go to my next meeting.

Well, the whole point I'm trying to make is that do whatever you can to fight the urge for immediate gratification in this and all areas of your life - especially in your career. This wanting to have stuff NOW is a problem on the same level as the 7 deadly sins. It's the scourge of the human race. Feeling like we must have something now not only causes financial issues but also problems with relationships, economics, you name it...Look at practically every bad situation at home, at work, and around the world and you see the negative consequences of this need for immediate gratification that's embedded in us all.

One of the best things you can do for your career in information security is to fight the desire to get something as soon as it shows up on your radar. There's a reason for the saying "Good things do come to those who wait". Thing long-term, analyze the situation, and then make an informed decision to proceed when the time's right. That's a sign of a true leader.

ISC2's new CSSLP to the rescue?

Well, ISC2 is at it again with yet another security certification - this time focused on application security. The CSSLP (Certified Secure Software Lifecycle Professional) focuses on security where it's often the weakest...at the source code level.

Not a bad idea in general. I just don't foresee someone getting such a certification and then suddenly being a development expert much less someone being able to lock down the software lifecycle. These are things that come with tons and tons of experience in both psychology, politics, security AND development. The latter two of which I cover in-depth in my audio program Certifications, Degrees, or Experience - What's Best for Your Security Career? Here's a sample snippet for your listening pleasure.

I'm not saying it can't be done. I'm just a little skeptical at this point.

What we need is a certification in getting management on board with security. Arguably the biggest problem we have with security. It could be called Certified Butt Kisser Striking Fear into Management or CFUD. Know that you heard it here first!