Those cheeky devils over at NIST have an interesting read out in draft form: NISTIR 7328 (.pdf caveat). It’s a draft Interagency Report, but in reality it’s a how-to on being assessed and being the assessor.
I’ve given it a glance and it’s all the things that successful Security Test and Evaluation teams have been doing all along. I know there’s some kind of “take-away” (my MBA phrase for today) that works out in the private sector.
I’ve been toying with the idea for about 6 months, but I think I’ve decided to go for a PMP.
See, one of my little foibles is that if you act long enough like you can’t manage a project, I eventually get impatient and end up taking it over. So I figured that since I’ve led a bazillion projects, I might as well get credit for it. =)
Anyway, I’m interested in a quick straw poll on how many security folks are out there doing PM jobs. It seems like we get pulled into PM stuff more and more because more often than not, we know how things are supposed to work.
OK, this post will be big today. For starters, I use Fortinet products, they’re the heart of my key infrastructure and I’m pretty happy with them.
It’s GAO, OMB, and the House Committee on Government Oversight and Reform, not GSA.
This blog posting is very unprofessional of you, sir. I would expect more from a Chief Marketing Officer. Will your CEO read about how you treat your customers?
Obviously you do not understand your customer base and you are unable to understand their pain points. That is not being a good partner. The appropriate answer is “let’s grab a conference room and talk this over, I want to fix this for you.”
You just provided that individual with his migration plan from your gear onto somebody else’s.
You need to get out walking more and get some better shoes.
Yes, the CIO and his CISO bear most of the responsibility, but if they fail, you fail. Until you understand that, you have much to learn about the Government.
What neither Richard nor his CIO “friend” realize is that it takes a partnership between the Government and the vendors to make it work. Yes, the agencies receive a FISMA grade, but really that failing grade represents the efforts of both the Government and industry. You need to understand that before you go hating on the agencies for low grades.
We all get frustrated dealing with each other. It’s hard for contractors and vendors to understand the Government unless they’ve worked as a GS-scale or SES. I know the contractor side, I know some of the Government side, but I don’t claim to know it all.
But to go out in public and criticize your customers is unthinkable, especially in DC, and especially from a Chief Marketing Officer. You don’t make any permanent enemies here if you can help it, you never know who will end up in charge after the next reorganization.
On the other hand, the purpose of the FISMA grades is to give people a reason to have these conversations. The Government needs to be going to its vendors and saying that they cost too much and don’t fix their problems. That’s supposed to happen, only Richard didn’t handle it well. Don’t tell me this is the first time something like this has ever happened to him.
I just expect more from a vendor and their head of marketing. Thank you for level-setting my expectations for your company, Richard.
“See, that security thang, it ain’t so hard.” I guess endpoint security is a complete and utter commodity now. =) I can feel the cyanide bullet C&D letter coming in the mail any minute now.
From: ZoneAlarm <news@zonealarm.zonelabs.com>
To: rybolov
Sent: Wednesday, October 10, 2007 5:42:47 PM
Subject: Buy a Costume, Get Security Suite Free!
Posts RSS
Subscribe via Email
No Comments »
