[SecurityRatty] tag: belts

Almost too sad to read

Mon, 26 May 2008 13:22:58 +0000

I dont think I have any words to say for this comment.

Veterans’ burials nonstop at national cemeteries

An average of 1,800 veterans die each day, and 10 percent of them are buried in the country’s 125 national cemeteries, which are expected to set a record with 107,000 interments, including dependents, this year. And more national cemeteries are being built.

Thirty-four veterans groups volunteer for services. Every seventh Thursday members of American Legion Post 548 from Louisville, Ohio, dressed in black coats, ties and pants with white belts, gloves and shoulder cords, come to pay tribute to fellow veterans.

Links for 2008-04-03 [del.icio.us]

Thu, 03 Apr 2008 20:00:00 +0000

Information Security as Insurance
Security Thoughts: Information Security, Governance, Compliance and Safety Belts
I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws.
The Evolution of Compliance Technology - Sarbox Survival Guide
William Vambenepe’s blog » Blog Archive » Another IT event standard? I’ll believe it when I CEE it.
Worst practices: Recognizing the biggest compliance mistakes
Tenable Network Security: CyberCrime, CyberTerror, CyberEspionage, and CyberWar
The final point I'd like to make on cybercrime is that the current set of problems show us nothing about how bad it can possibly get. If you're part of an organzation that does business online, cybercrime is going to be part of your personal future, fo
practical risk management: Nice GRC write-up and how it relates to log management initiatives
Commentary: Inside the Twisted Mind of the Security Professional
Dana Gardner's BriefingsDirect: Splunk goes 'platform' to extend IT search benefits across more IT management functions
SANS Technology Institute: An Interview with David Hoelzer, author of DAD, a log aggregator
ParanoidMike: Which Security Event Log audit categories are most useful on a Windows client?
Do Your Vendors Have Information Security That's Aaa Good? - Web Exclusives - Online Column - CSO Magazine
Sarbanes-Oxley: Growing Dependence on Log Data for Compliance and Threat Response
Results of note from the SenSage survey respondents include: * Eighty-eight percent collect log data for compliance reasons, while 42 percent do so as part of best practices/industry standards initiatives such as ITIL. * Seventy-eight perce

$50 > life. WHYYYYYYY?

Thu, 03 Apr 2008 08:49:00 +0000

If you flipped thru my slides from the CSO Summit, you noticed slide #4 with a picture of a seatbelt. Why is it there?

That is why. This post really tied (for me) everything that happens in security today; and its essence is this quote:

"The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice. I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.

The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life."

and even

"I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws."

If you see anything weird in today's "compliance-heavy" security industry, it is probably explained by this phenomenon.

Information Security, Governance, Compliance and Safety Belts

Thu, 20 Mar 2008 04:47:00 +0000

The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice.

I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.

The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life.

I think that the same is true with Information Security. It won't (necessarily) save your life but it is good practice. And yet companies are only doing it because it is now law.

The problem with this is that it is not accepted by people in their hearts. I know of people who drive around without their belts on and put them half on when they see a traffic cop.

The Information Security equivalent is jacking up your InfoSec program when the auditors come to visit and letting it slide when they are not around. Or making sure that they don't see some issues that you are well aware of.

I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws. The thing is that the government is stepping in only because people are very bad at self regulation. Really, what a number of InfoSec experts are trying to promote is - understand why you need to protect yourself, understand how and abide by it. Do it for your company, not because the government demands it.

That way, not only will you be "compliant" and full of "good governance" but more importantly - your company will be safe.

Recession brings a downturn in security spending and jobs

Wed, 13 Feb 2008 07:58:30 +0000

Many financial indicators are pointing to a looming global recession. This means that companies will be tightening their belts and drastically cutting down on their discretionary spending. What does this mean for information security industry? And what can CISOs do to recession proof their security programs?

This means leaner security organizations (yes that means lay offs), significantly reduced spending on security consultants and contractors, and squeezing the most out of every buck that is spent for information security. This would also mean longer sales cycles for security vendors, cost taking precedence over functionality. From a CISO perspective, it means more justification for security budgets, begging other parts of the business to fund security projects, and pushing existing vendors to provide more for the same amount of dollars.

Some people see a silver lining to all this. Here is what they say, “When things get tough, businesses will more likely to focus on what they do best and hand off operational tasks to an outsourcer.” Many on-shore and off-shore providers have had double digit growth in their managed security businesses in the past. But here is the dirty little secret of security outsourcing - many times it does not save you costs. A lot of times you end up spending the same, if not more, on outsourcing. You could potentially get some cost benefits by working with an off shore provider, but due to the declining dollar that proposition is also becoming pretty bleak.

We may be better off than other areas of IT because the demand for information security professionals is still outstripping supply, but expect a lot more organizations to pick people from other parts of their organization and move them to information security rather than hiring new people. Unfortunately, this means lesser jobs for all of us – the real security folk.