You can't secure what you don't acknowledge.SM

Wednesday, September 21, 2016

Join me along with ISACA and TechTarget today to learn about how to advance your infosec career!

 Kevin Beaver professional speaker keynote
I'm happy to announce that I'll be joining ISACA and TechTarget for their annual online security seminar - a day-long learning event for IT and information security professionals.  My session this afternoon, which starts at 3:30pm ET, will be I Can Do versus I Have Done...Certification, Experience, and the Information Security Career Path.

You can register by clicking the image or via this link:  

I hope to "see" you there!

Monday, September 19, 2016

People Behaving Badly and information security's tie-in

Last week, I had the opportunity to travel to the Bay Area in California to record an information security video (thanks Intel and TechTarget!). Of course, I couldn't travel across the country and not see the sights of San Francisco. A most excellent highlight of the trip was for my son and I to meet television and social media celebrity, Stanley Roberts. My son is a huge fan of Stanley's, has learned a ton from him (me too!), and was over the moon-excited to be able to meet him in person.

I wanted to share with you Stanley's videos (a really good "best of" is below) and how his work relates to what we do for a living. Stanley catching people in the act of doing bad things intentionally, or perhaps through ignorance, is the very thing that drives the field of information security today. It's the essence of my previous blog post from today and my whole shtick about if we just addressed the basics of security (followed the core best practices and rules) we wouldn't  experience the consequences.

Stanley, we need to figure out how to do something on "people behaving badly with computers"!

Check out Stanley's YouTube channel or, if you're in the Bay Area, KRON 4 News...I think you'll enjoy it. If anything, beyond the laughs, you'll see that crazy human behavior is across the board in all aspects of life, not just in IT and security.

What, exactly, is reasonable security? The state of California knows!

With all that's happening in the world of information security, it seems that there's never enough regulation. From to HIPAA to the state breach notification laws to PCI DSS and beyond, there are rules - and guidance - around every corner. Oddly enough the breaches keep occurring. As if what we've been told up to this point is not reasonable enough. Some people, mostly federal government bureaucrats and lawyers who stand to benefit from such power, believe we need more regulations. Some are even attempting to rebrand information security as "cybersecurity" which only serves to create another layer of complexity and hurt our cause long-term.

Presumably, more regulations will clarify what "reasonable security" means. I disagree. The core information security essentials that we need to follow in order to be secure have been around for decades. Yet people think we need more guidance, more rules, more control. It's the mindset that many have toward fixing government schools: don't address the real problems, just throw more money at things and the challenges should go away soon. If things were only that simple!

If we're going to address information security reasonably, we don't need more regulations...what we need is discipline. The discipline to execute the security essentials over and over again, no matter how boring, how repetitive, and how politically inconvenient they are. I love what Kamala Harris, Attorney General for the state of California wrote in her 2016 California Data Breach Report:

The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

Folks, it's as simple as that...Ignoring the problem won't make it go away. Unless and until we address the core security practices - practices that have been proven to work time and again - we'll continue to struggle. So, what's it going to be?