You can't secure what you don't acknowledge.SM

Thursday, November 10, 2011

Join me at the CDW - TechTarget seminars in Philly & NY next week

If you happen to be in or around Philadelphia, PA or New York City next week, I'd love it if you could join us for our TechTarget / CDW seminars: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

I'll be giving the keynote presentation and splitting the breakout sessions with Pete Lindstrom and other vendor experts. After the morning sessions and a great lunch, we'll get back together around 2pm and close out with a lively Q&A for which we've gotten great feedback.

These are our final two seminars for the year. You'll benefit from us being really warmed up and having our presentations (mostly) fine-tuned.

Hope to see you soon!

Why compliance is a threat

Compliance as we know it is arguably one of the greatest threats to enterprise security. Here's why:
  1. It creates a heightened sense of self for those responsible for accomplishing a state of compliance.
  2. It can cost more to become "compliant" than it does to create a reasonably secure environment.
  3. It empowers government.
All of the above create complacency and a false sense of security. Please tell me I'm wrong.

Wednesday, November 9, 2011

Wooo...HIPAA audits are coming & the irony of KPMG's involvement

I've always believed that compliance is a threat to business [hence why I help businesses take the pain out of compliance by addressing their actual information security issues] and this new bit from HHS's Office of Civil Rights is no different.

Apparently the HIPAA audits are coming...KPMG - an audit firm that has already proven they have trouble implementing the basic security controls they audit others against - scored a $9 million contract to perform up to 150 audits over the next year. Audits that'll prove that covered entities and business associates alike still don't take HIPAA seriously. A simple visit to your local hospital or physician's practice will show this, but I guess it needs to be formalized.

Who knows, maybe in a generation or two, physicians (the bigger problem) and business associates (not quite as much) will wise up to the fact that minimal investments can go a long way towards fixing their low-hanging fruit and implementing basic security controls - really all that's needed for HIPAA compliance in most situations.

Tuesday, November 8, 2011

Mobile devices are the new desktop, what to do now!?

Here are some new pieces I've written for my friends at TechTarget on mobile security that you may be interested in including a piece for TechTarget's new (I think) site:

It's time we shift our thinking about endpoint protection

Act now to prevent smartphone security risks at your organization

Compliance officers' next big headache: Securing mobile applications

You know the deal, be sure to check out for links to all of my information security whitepapers, podcasts, webcasts, books and more.

One of my pet peeves: relying on users to wipe out wimpy passwords

You cannot - and should never - rely on your users for complete security...yet they're often the first or last line of defense - sometimes both.

I wrote about this a while back but it's a problem that's still rampant in IT so I had to bring it up again. It's probably my biggest pet peeves with security. Simply telling users that they need to select strong passwords on their computer systems and leaving it up to them to do the right thing is delusional.

I do believe that most people want to do the right thing...that said, people are going to take the path of least resistance if they're presented with it. Set them up for success instead and take that power away when you can.