I have spent my day in a forum dedicated to the security of classified information. Individuals attending are facility security officers, defense security service employees, and others caught in the orbit of U.S. Government classified information. One of the speakers made a comment that made me immediately jump to post something on Twitter: "I want you to walk away from this presentation with one thing you can do to prevent risk." <- I don't think you understand risk. — Peter Hesse (@pmhesse) March 14, 2014 Why did I say that the esteemed gentlemen who was presenting didn’t understand risk? Let’s break it down. The Definition of Risk Risk can be either a noun or a verb. Consider these definitions found[…]

At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like. During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge. Are People The Problem? Our industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are[…]

Recently, an article came to my attention about social networks being gamed in order to hurt the reputations of competitors and enemies. With all the talk these days of search engine optimization, social media experts, and the “internet of things” we are looking to connect our information to as many people, and in as many ways, as possible. Have you considered the ways this might hurt you instead? We are beginning to get a handle, as a society, on the minimum viable security that every organization needs in order to stay in business and not be destroyed by the constant noise of attacks facing us on the Internet. But what happens when instead of facing a distributed denial of service[…]

Here it is, the last day of 2013. It has been a rough year for me, both personally and professionally. So for the first time in a long time, I’m very much looking forward to speeding off into the new year without even glancing in the rear-view at 2013. And it is the time for those dreaded New Year’s resolutions – I’ll exercise more, eat less, and write more thank-you notes. Most of these resolutions don’t even last as long as the glitter found from those sparkly New Year’s hats will be found in your carpet. This year, I’d like to suggest a different New Year’s resolution to my fellow information security industry professionals. Let’s focus 2014 on security awareness. To[…]

While reviewing the 2013 changes to HIPAA, we came upon this interesting bit of economic impact analysis early in the document. A table is presented called “Estimated Costs of the Final Rule”. Within this table, an estimated cost is presented for Security Rule Compliance by Business Associates, expected to apply to between 200,000 and 400,000 business associates of covered entities that were not previously directly liable for HIPAA compliance. The table lists this estimated cost as between $22.6 million and $113 million. I believe this cost is not remotely realistic. Let’s do a little math to figure out these costs per organization. How about a best case scenario, where we spend the least amount of money getting the largest number of[…]

I read a good article a few weeks ago, by Tom Mendoza of NetApp called 6 Powerful Ways to Embrace Change. It’s worth the short read. It got me thinking about how the Information Security industry is really in the business of change management. Change management seems a business term for “doing everything you can to avoid embracing change”. I’m going to take Tom’s 6 ways and rewrite them from an information security perspective. 1) Don’t look back Unfortunately, in the information security industry, not looking back is a sure key to failure. If you don’t continue to address the risks presented by your legacy system which no longer gets security patches, or pay attention to information that was long[…]