[SecurityRatty] tag: tough

Tough times and risk management, Part 2

Sun, 30 Nov 2008 21:00:00 +0000

Gibbs discussed the concept of risk management in IT a couple of weeks ago, and vowed to continue with a discussion of the consequent politics. True to his word, here 'tis . . .

Massachusetts extends compliance deadline on new data encryption rules

Thu, 20 Nov 2008 02:00:00 +0000

Citing the economic downturn, the Massachusetts state government is giving companies more time to comply with tough new regulations on securing the personal data of state residents.

Talking Engagement

Fri, 14 Nov 2008 06:46:00 +0000

So, it finally happened. I was invited to talk at an Information Security Conference and I went and talked.

My talk was about the risks of information leaving the organisation but I decided to add in the risks of information not leaving the organisation.

This may sound counter productive but in these though times your IT department should really be looking at using services such as GMail, your Marketing department should be looking at using Facebook, Twitter, Blogs etc. Your HR department should be looking through LinkedIn for new staff.

If your Security Department is too tough on information leaving the organisation then you are missing out on opportunities. Of course, if you are too lax then information will make its way out and that can't be good for the company either.

Information Classification is key. As is awareness.

My speech was very well received, achieving over 8/10 for the different areas and I have been invited back to speak again.

I must admit that my speech was aimed at business decision makers and not technical people and yet the people who showed up were more technical people. There are very few companies in South Africa (with my employer being a noted exception) that treat Information Security as a business issue and not (only) a technical issue.

I'm not really one to tooth my own horn but I wrote this blog entry to thank a number of people who made my speech possible.

Firstly thank you to the two blogs that I feel are on the forefront of Information-centric Security - Securosis and Rational Survivability. I used some material from both sites and some that was sent to me by Richard Mogull from Securosis.

I used some speaking tips that I got from Presentation Zen so I didn't put everyone to sleep (even though my speech was at the danger time of 3:30pm when everyone is tired and wants to go home) and I used some (free!) graphics from Stock Exchange.

When I was preparing for the speech, I revisited some of my old Blog posts which I think I need to repost as I have some more ideas about them.

Giving Out Replacement Hotel Keys

Thu, 13 Nov 2008 09:12:22 +0000

It's a tough security trade-off. Guests lose their hotel room keys, and the hotel staff needs to be accommodating. But at the same time, they can't be giving out hotel room keys to anyone claiming to have lost one. Generally, hotels ask to see some ID before giving out a replacement key and, if the guest doesn't have his wallet with him, have someone walk to the room with the key and check their ID.

This normally works pretty well, but there's a court case in Brisbane right now about a hotel giving a room key to someone who ended up sexually attacking the woman who had rented the room.

In civil action launched yesterday, the woman alleges the man was given the spare access key to her room by a hotel staffer.

The article doesn't say what kind of authentication the hotel requested or received.

Investing in Your IT Security Career in Tough Times

Mon, 03 Nov 2008 21:00:00 +0000

When meeting someone new and describing my background in this industry I often say "I've seen the best of times, I've seen the worst of times and most of what falls in between." I've been recruiting in Information Security long enough to have experienced the heady times of the dot.com boom and the dark days that followed after it all came crashing down. I've also been here as the industry has grown and evolved-sometimes as a result of and sometimes in spite of significant difficulties. This evolution leads to adaptation, and it's the ability of people to adapt and rise above one challenge after another that makes our industry so dynamic.

Seeing tough times ahead, Symantec plans layoffs

Thu, 30 Oct 2008 21:00:00 +0000

Anticipating a slowdown in IT spending, Symantec expects to begin laying off employees next month.

Seeing tough times ahead, Symantec plans layoffs

Thu, 30 Oct 2008 01:00:00 +0000

Anticipating a slowdown in IT spending, Symantec expects to begin laying off employees next month.

Accenture CIO Modruson is not just putting out fires

Mon, 27 Oct 2008 21:00:00 +0000

Being an IT leader is tough enough at the best of times, but what do you do when your company is stacked with IT experts? 'Make the most of it' would appear to be the attitude of Frank Modruson, CIO of Accenture, one of the world's biggest management consulting, technology services and outsourcing companies.

IT wary of insider attacks as economy slows down

Mon, 27 Oct 2008 01:00:00 +0000

Experts warn that companies should be especially vigilant about protecting their data and networks from disgruntled employees during tough economic times.

Information security in bad economy

Sun, 26 Oct 2008 16:37:40 +0000

Economy looks grim. The headlines are very discouraging. Capitalism does not guarantee wealth and success all the time. The talking heads on TV blame the greed in the stock market. I wish stock market is made of just computers that are not greedy human beings. These are bound to happen when there are human beings that participate! Money flows will eventually correct itself I hope, capitalism will be healthy again. This will take time. I am not an economist, but I do understand that people part with money for a period of time to collect higher return in the horizon based on their aptitude for risk. Simple is it not! But, all these complex financial instruments and its machinations seem to blur the reality and make even the brainiest act dumb - or are they just plain greedy?

Setting the context for this post, it is a tough economic situation all over the world. IT spending has reduced and will reduce significantly. In one of earlier posts, I had referred to information security as an overhead of an overhead (IT). What is a good approach for security practice in this type of economy?

I don't have a magic wand to pull a rabbit out of a hat. I have always been told that: tough economy is the time for real smart people to make money. Coming back to information security topic, with a bit of common sense, it is wise for information security professionals to offer services in those areas that does not involve capital expenditure. As a Security Manager, you may be already aware that your people are willing to go an extra mile in the current economic times.

- No budget or lack of budget, means no new capital expenditure. Spend time wisely in building a future technology strategy and keep it in the back pocket when the economy turns around.

- This is a good time to create roles/responsibilities and ownership for various areas. Create operating procedures. Make your team to automate tasks. This will help your operations become more efficient.

- This is time for security awareness education. Create pamphlets/brochures/presentations for an online or classroom training. Engage your and your team's time to impart training.

- Leverage already invested technology platforms. Leverage utilized features that reduce costs. If you have already invested in technology such as VMware, this is the time to get the best out of it. You can use VMware's toolkit to build your lab and staging environment and optimize on hardware cost.

- Off shoring has been the mantra of senior executives, this is the time to revisit those services and measure their performance closely and assess your satisfaction level. This is a good time to build a case for not off shoring if it makes sense.

- Companies are more vulnerable in bad economic times. You are in a better position to influence senior management about information security risks under these circumstances and drive home the value of protecting your intellectual property under these kinds of circumstances. management will be all ears for such a pitch.

- Time to engage your architect to optimize your security architecture, revisit standards and optimize design for cost efficiency.

- Revisit various controls and see if there are some risks that you could optimize spending on.

- Training budget is an unfortunate victim of this type of economy. Encourage employees to take free webinars offered by various security vendors and encourage them to share the summary across the team. This will put your employees in touch with latest happenings in security at the same time there is some learning that is imparted despite zero training budget.

- Since there are very few projects in action, this is a good time to have conversations with cross functional teams and educate them about your services and solicit feedback on how to do better.

- Revisit your vendor logistics and identify whether you can renegotiate some of your already existing contracts.

The above are some good ways by which you can optimize costs, this will also enhance your team's competence level in the long run. And this approach is better than letting people go, if you can pull this.