You can't secure what you don't acknowledge.SM

Thursday, December 1, 2011

You're in charge of your own crisis

Whether or not you - or your management - believes you'll suffer a security incident it certainly pays to be prepared. Odds are that something is going to occur.

Does your business have a solid incident response plan? What about a communications plan? Is an executive or business PR representative going to say "Um, well, uh you know - we got hacked and stuff..." to the eager media or are they prepared to answer questions in a mature and professional manner?

PR pros will tell you that you'd better be prepared. As Bolling Spalding - a PR expert here in Atlanta - said in this Atlanta Business Chronicle piece:

"Address the situation openly by saying, 'We don't have all the facts yet, but will tell you what we know now and we'll continue to report back as the facts come in.'...If you don't tell the story, someone else will tell it for you, and it might be someone with an ax to grind."

There's too much to lose folks. Do something now so you'll have a plan when the time comes.

If you're interested, here are some tips I've written about information security-related incidents and how to shore up what could be one of your business's greatest weaknesses.

Tuesday, November 29, 2011

HDMoore's Law, revisited

Here's a good read by Mike Rothman (@securityincite) on how we tend to bury our heads in the sand over the most obvious things including HD Moore's Law. For years, I've had a slide in my presentations titled "Future Trends" where I've talked about how exploits are getting easier for those with ill intent:
  • Easier access to tools
  • Little knowledge needed
  • Less elaborate “hacks”
  • More internal breaches
  • Mobile business → less control
  • Greater complexity → more security issues
  • Newer technologies → new security problems
Mike's post is a good reminder that this is a business reality - today, right now - and it's up to every single one of us in IT to stay ahead of the curve.

Sunday, November 27, 2011

Don't get mired striving for perfection

As we wind down 2011, here's a quote that relates to information security, incident response and overall risk management:

“The person who insists upon seeing with perfect clearness before he or she decides, never
decides.” -Henri Frederic Amiel

So, do something to better your information security program. Any positive step forward - anything - is much better than getting mired in the desire for perfection and doing nothing at all.