You can't secure what you don't acknowledge.SM

Friday, August 27, 2010

HIPAA & HITECH: new requirements + same approaches = new book

My colleague and co-author Becky Herold and I are working on the second edition of our HIPAA book and I'm realizing, wow, not much has changed in the way of managing information risks since we first wrote it in 2003. Yet, the protected health information breaches keep on occurring (look at the two latest ones from this week).

Stay tuned though...we've got lots of good updates and new info forthcoming on HIPAA and the HITECH Act that can help you forge your way through the compliance mess.

Work harder on yourself than you do on your job

Many people want to take the easy path that promises to lead them to their riches rather than work hard over the long term and earn it the good old-fashioned way. It's the lottery mentality. James Allen said it best:

"Men are anxious to improve their circumstances, but are unwilling to improve themselves; they therefore remain bound."

Want to get begin improving your circumstances in your life and in your IT/security career? Here are some pieces I've written and an audio program I recorded that can help you get started.

Thursday, August 26, 2010

Good new book on security awareness

I have to admit, when my colleague Marcos Christodonte first approached me about reviewing his new security awareness book, Cyber Within, I thought here's yet another book on boring old security awareness. I was wrong. Cyber Within takes a very unique (suspense novel-like) approach to address the problem we have with employees and information security. And it works.

The book is a quick read - just 47 pages - but it's just enough to help drive home the message that employees are our worst enemy when it comes to security. The book also has some cut-out forms in the back for reporting incidents and employee quick tips you can use during your security training.

The argument could be made that everything in the book falls into place too easily but I still think it's a good read and a good resource. Kudos to Marcos. Heaven knows we need some original - and non-plagiarized - material in our field these days!

You can check it out Cyber Within on Amazon by clicking the book cover below:

Acunetix WVS v7 - grand improvements in the making

When I find a good security tool I not only love using it but I love telling everyone about it. Having gone down this road many times myself, I understand the time, money, and hassle associated with investing in security tools that aren't all that. Well, here's one for you: Acunetix Web Vulnerability Scanner (AWVS) version 7 (it's currently in beta and free for you to try).

The folks at at Acunetix tout several new things in AWVS v7 such as:
  • intelligent scanning engine
  • improved Web 2.0 support
  • lower false positives
  • ability to re-launch a reported vulnerability check
  • faster scan times
Having taken AWVS v7 for a spin a few times, I can say that they've delivered. It's actually pretty weird using version 7 because outside of the much-improved dashboard it looks very similar to AWVS version 6. But once you dig in and (especially) see how fast it is, you can tell they've gotten it right this time. It reminds me of Windows 7 compared to Vista - looks similar but much, much better.

There are only a handful of Web vulnerability scanners worth considering. Acunetix makes one of them. Check it out while the getting's good.

Wednesday, August 25, 2010

500 million and counting...

I just received a press release from Beth Givens at the Privacy Rights Clearinghouse stating "500 Million Sensitive Records Breached Since 2005". 500 million+ known records that have been compromised in 5.5 years in the U.S. alone due to people in organizations large and small making poor choices about information security and privacy! Simply amazing.

If you haven't seen the Chronology of Data Breaches, check it out. It's fascinating. The problem of people putting forth little to no effort to keep information secure affects every single one of us. Scroll through the breach list and you'll likely see a business or organization you've dealt with in some fashion or another.

What's it going to take? Security standards have been developed. Security and privacy laws have been passed. The word's getting out. Yet, still, the carelessness and ignorance continues. Seriously, what's it going to take? I know it's easy for me to ask these questions being on the other side of the table. I don't envy anyone who's responsible for managing information security. Arguably it's one of the most difficult things to do in business today. Perhaps we need to re-think how we're doing things. Personally, I'm starting to like my colleague Pete Lindstrom's modest proposal to publish SSNs and be done with it. In our complex world with no real way to get our arms around this best once and for all, perhaps there is no good answer.

Beth Givens and company: Keep up the good work pulling all of this information together and keeping us informed.

Tuesday, August 24, 2010

Selling security: To persuade to is succeed

Okay, so your managers aren't getting security and your users aren't on board either. Security's not looking too good but you know it needs to happen. Just how can you "sell" security to those who matter most? Here's a collection of articles and blog posts I've written that address this very subject:

How to get - and keep - user support with security
How to get management on board with Web 2.0 security issues
Building credibility and getting others on your side
Making the Business Case for Information Security
The Business Case for Information Security - What businesses are up against and why it is needed
Selling security to upper management
My blog posts on selling security

But wait, if you're looking for more, here's a great read: 17 ways to be a more persuasive speaker - it contains content you can not only use when selling security but also when presenting, speaking, or anything you do to try and persuade other people to do things they may be reluctant to do.

Relentless incrementalism

I don't know who coined the term "relentless incrementalism" but it's very fitting when it comes to information security. In the context of what we do, relentless incrementalism means doing small things over time that add up to big outcomes in the long term.

All of us - management included - have to understand that security is not a one-time deal. Nor is it a product or a "compliant" status. It's not something your network administrator is taking care of. It's not something the compliance officer or CSO handles. Information security is a process that you, management and arguably everyone in your organization have to work on every single day.

This could be security assessments, system monitoring, quizzing employees, keeping your skills sharp by attending security conferences - you name it. Every situation is different. Whatever risks your business is facing, whatever regulations you're up against, and whatever is important in your environment - those are the things you must address on a periodic and consistent basis.

It's like keeping your body healthy. We all know that diets don't work. We all know that nature will have its way if we remain inactive. Regardless of the hype and magic "fixes" related to dieting and exercise, any reasonably-minded person knows that the calories we burn must be equal to or greater than the calories we consume. It's basic math. Yet we (myself included) get caught up in everything else and take this simple formula for granted.

We have to change our mindsets and our lifestyles if we're going to make things happen. Information security is no different. Every action counts. Every choice you and you leadership make either serves to support information security or serves to get in the way of information security. Find what works and keep working at it...relentlessly.

Monday, August 23, 2010

Panic is not a strategy's not.

In this new piece I wrote for Security & Technology Design magazine, I talk about the lack of incident response planning being one of if not the biggest risk in any given organization...and what you can do about it:

Incident response: The biggest security gaffe of all?

If anything, never forget what Captain Chesley Sullenberger said after he landed U.S. Airways flight 1549 into the Hudson River last year:

"I didn't have time to learn what I needed to know...I had to have done hard work for decades for tens of thousands of hours to prepare for that moment."

...that says it all.

Common sense counts the most

A great quote I heard over the weekend has a direct tie-in to what we focus (or don't focus) our efforts on in information security. NASCAR champion Ned Jarrett said:

"There's nothing stronger when you're trying to get something done than common sense."

I couldn't agree more.

In the realm of IT and managing information risks, I'll take common sense over book smarts any day.