I’m doing Security Awareness and Training.  This is aimed at the average user, so for me to be taking it, it’s like a Navy destroyer taking on a zodiac.

I’m not going to name the organization that this training was for, because they probably don’t want the rest of the world to know.  There’s a reason for this:  the training sucked.

It was 2 people talking behind a podium without any good presentation skills.  Even for security content which is slow sometimes, this was a new low.  The sad part is that it was some really smart people trying to teach their audience too much and in such a disorganized fashion that they ended up confusing most of them.

Mike’s version of what Security Awareness and Training should be for the average user:

• You have no privacy on our network or computers
• Doing this list of things will get you sent to a federal prison
• Doing this list of things will get you fired
• If you suspect something is strange, call the help desk
• If you have any security-specific questions, here is how you can reach me to ask
• Don’t do anything that seems stupid at the time, if you have to ask if it’s OK to do, then the answer is probably “no”.
• Have a nice day

Notice I don’t believe in trying to educate users what a firewall is, the basics of CIA, none of that.  They won’t remember it, just like I try to forget everything I know about asset depreciation and the other fine points of counting beans.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• White Professional Male Turned CISSP Seeks Mega-Sized Security Management Model
• What’s Missing in the way the Government does Security?
• Data Centers and Hair Driers
• Inside the Obama Administration’s Cyber Security Agenda

There comes a time when you start managing your time in 5-minute increments. That has been the past 2 weeks for me.

I’ve been teaching the past several Fridays, and that takes up the evenings the week prior. It takes a significant level of effort to just update the agenda and the slides for the upcoming day of training.
Monday and Tuesday I was in for more leadership training. It’s people-centric so it wipes me out.

While I was doing all this, FISMA report card came out and I didn’t get a chance to comment on it. Well, there isn’t much that is all that surprising. Smaller agencies do better at meeting the standard because small means more flexible. I’m surprised DHS is anything but an F because they are huge and new and I figure it will be 5-10 years before they get their feet underneath them.

• Business Leadership Training
• Targeted Spam
• Standard Maturity
• Got Training?
• Back in Leadership Training

Nice.  I don’t think they really have a rating for the VA.

http://www.matasano.com/log/798/fisma-using-homeland-security-advisory-system/

• Looking for the Charbo Testimony
• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit
• Upgrading
• Splunk Goes After the FISMA Lucre, They’re not Alone
• My Analysis of the DHS Congressional Testimony

I think the picture speaks for itself.

• Oh Hey, Secure DNS now Mandatory
• Sir Bruce Mentions FDCC, World Goes Nuts

Compliance is a Dead-End

Compliance is aimed at one thing: limiting risks to the organization that writes or enforces the standard.  How’s that for “Bottom Line up Front” writing?

I’ve been a critic of approaching FISMA with an eye toward compliance, and I just recently started to look at PCI.  I’ve started to come around to a different way of thinking.  It all makes perfect sense for the people who write or enforce the standard–they’re cutting their losses and making the non-compliant organization take the blame.  It’s risk management done in a very effective Macchiavellian style.

For an organization looking to improve their security posture, taking a compliance-based approach will eventually implode on itself.  Why?  Because compliance is binary–you are or you’re not.  Risk management is not binary, it’s OK to say “well, we don’t meet the standard here, but we don’t really need to.”

If you base your security on compliance, you are spending too much of your time, people, and money on places where you shouldn’t be, and not enough on where you should be.  In engineering words, you have had your solution dictated to you by a compliance framework.

The endgame of all compliance is either CYA, finger-pointing, or both.  Look at how data breaches with both PCI and the government get spun in the press: “$Foo organization was not compliant with $Bar standard.”  As Adam Shostack says, “Data Breaches are Good for You”, the one caveat being “except when you are caught out of compliance and smeared by the enforcers of the compliance framework”.

I remember a post to the Policy, Standards, Regulations, and Compliance list from Mark Curphey back in the neolithic age of last year about “Do organizations care about compliance or do they care about being caught out of compliance?”  It makes more sense now that I look at it.

On the other side of the coin, what I believe in is risk management.  Risk management realizes that we cannot be compliant with any framework because frameworks are made for a “one size fits all” world.  Sometimes you have to break the rules to follow the rules, and there isn’t room for that in a compliance world.

• When Acceptable Risk is Not Acceptable
• Core Belief #2 — Risk Management Uber Alles
• My 2 Obsessions this Week
• Dictating Common Sense
• An Open Letter to NIST About SP 800-30

Computer crime novel in graphic novel style.

It’s eerily good and for some reason it’s hard to put down.

Planet Heidi

• Idaho and Technology
• Pictures: Desert Computer Lab
• Declan McCullagh and Anne Broache on “Will security firms detect police spyware?”
• The Honor System
• Hack Disaster Relief