Ah, the infamous Nina Hagen, singing about God, aliens, sex, Germany, vivisection, and numbers. She’s half opera diva, half devil, and all things in-between. =)
Posted in Odds-n-Sods | 
3 Comments »
It’s been a little while since I did anything offbeat (OK, some of you could claim “absolutely bat-sh*t crazy”), so here goes. Riding the success of my earlier Meerkats and Risk Management post, we’re now following our young, dashing meerkat protagonist off to his new tribe in the Big 4. Let’s have a look at his diary, shall we?
17 March 2008: Dear diary, life has been different since I left my clan of the widget-makers-and-maintainers. Here in my new clan, we have a different subset of meerkats: the bugcounters. They’re the strangest sort of meerkats you could imagine. Instead of eating the bugs that we find out while foraging, they insist that we bring them all back so that they can count them. They put them into a pile, count the bugs, and then, check this out, they ask a rival clan to come count them again just in case they didn’t count them correctly the first time.
18 March 2008: Dear diary, I read in the Kalahari Times that one clan of bugcounters actually ate another. I think this is completely misunderstood, but when my clan traveled to the second clan’s foraging territory, all that we could hear was the sound of “Om Nom Nom” and couldn’t bear to see the outcome. I think it had something to do with this website and risk management.
19 March 2008: Dear diary, how we ended up with so many young, happy meerkats in my clan is beyond me, but I suspect the alpha male and female taking a cruise to the bahamas three months ago had something to do with it. At any rate, we’re inundated with young meerkats. In some ways, our burrow is like the meerkat nursery, and every senior meerkat is a babysitter at one point or another, in addition to a sentry, forager, and burrow-digger.
20 March 2008: Dear diary, my burrow has a new type of automatic bug-preparation machine. You need no less than a doctorate in meerkat physics to make the thing turn the bug extract powder into edible bug substitute. the first time I used it, I spilled bug extract all over the floor, my paws, and one of my clan members. I miss my old bug-boiling pot.
21 March 2008: Dear diary, in my clan, we have a new way of measuring the success of meerkat foraging. Instead of the total number of bugs we collect, now in our annual meerkat assessment report we talk about the total number of hours spent foraging versus the total number of hours doing meerkat development courses and filling out our bug reimbursement forms.
Posted in Odds-n-Sods | 1 Comment »
Accreditation is the forgotten and abused poor relation to certification.
Part of the magic that makes C&A happen is this: you have certification which is a verification that all the minimum security controls are in place, and then you have accreditation which is a formal acceptance of risk by a senior manager/executive. You know what? The more I think about this idea, the more I come to see the beautiful simplicity in it as a design for IT security governance. You really are looking at two totally complete concepts: compliance and risk management.
So far, we’ve been phenomenal at doing the certification part. That’s easy, it’s driven by a catalog of controls and checklists. Hey, it’s compliance after all–so easy an accountantcaveman could do it. =)
The problem we’re having is in accreditation. Bear with me here while I illustrate the process of how accreditation works in the real world.
After certification, a list of deficiencies is turned into a Plan of Action and Milestones–basically an IOU list of how much it will cost to fix the deficiency and when you can have it done by.
Then the completed C&A package is submitted to the Authorizing Official. It consists of the following things:
The accreditor looks at the C&A package and gives the system one of the following:
And that’s how life goes.
There’s a critical flaw here, one that you need to understand: what we’re giving the Authorizing Official is, more often than not, the risks associated with compliance validation testing. In other words, audit risks that might or might not directly translate into compromised systems or serious incidents.
More often than not, the accreditation decision is based on these criteria:
For the most part, this is risk management, but from a different angle. We’ve unintentionally derailed what we’re trying to do with accreditation. It’s not about total risk, it’s about audit risk. Instead of IT security risk management, it becomes career risk management.
And the key to fix this is to get good, valid, thorough risk assessments in parallel with compliance assessments. That requires smart people.
Smart CISOs out there in Government understand this “flaw” in the process. The successful ones come from technical security testing backgrounds and know how to get good, valid, comprehensive risk assessments out of their staff and contractors, and that, dear readers is the primary difference between agencies that succeed and those who do not.
NIST is coming partly to the rescue here. They’re working on an Accreditor’s Handbook that is designed to teach Authorizing Officials how to evaluate what it is they’re being given. That’s a start.
However, as an industry, we need more people who can do security and risk assessments. This is very crucial to us as a whole because your assessment is only as good as the people you hire to do it. If we don’t have a long-term plan to grow people into this role, we will continually fail, and it takes at least 3-5 years to grow somebody into the role with the skills to do a good assessment, coming from a system administrator background. In other words, you need to have the recruiting machinery of a college basketball program in order to bring in the talent that you need to meet the demand.
And this is why I have a significant case of heartburn when it comes to Alan Paller. What SANS teaches perfectly compliments the policy, standards, regulations, and complicance side of the field. And the SANS approach–highly-tactical and very technologically-focused–is very much needed. Let me say that again: we need a SANS to train the huge volume of people in order to have valid, thorough risk assessments.
There is a huge opportunity to say “you guys take care of the policy and procedures side (*cough* the CISSP side), we can give you the technical knowledge (the G.*C side) to augment your staff’s capabilities. But for some reason, Alan sees FISMA, NIST, and C&A as a competitor and tries to undermine them whenever he can.
Instead of working with, he works against. All the smart people in DC know this.
Posted in FISMA, NIST, Rants, Risk Management, What Doesn't Work, What Works | No Comments »
So it’s old news (originally published in The New Yorker in May 2006), but this is an interesting read: Game Theory.
I’m reading this essay, and all of the sudden I had a “wow” moment. It all revolves around the complexity of information security and because it’s dependent on so many external factors, it’s hard to point to one indicator to say “this one thing makes or breaks an information security program.”
For some of us, this is disheartening. What do you mean there’s not one prime directive in running a security program? Surprise, it’s the “Magic/Silver Bullet” problem rehashed.
For the rest of us, this is fantastic. What it means is that since it’s a security program is holistic–in the words of the old-school Perl hackers, TMTOWTDI: There’s More Than One Way To Do It.
You can gather metrics about all sorts of things, but at the end of this academic exercise, it comes down to what you really want to accomplish–the soft-skills to temper the hard science.
There still is a place for Bubba the Infantryman and Guerilla CISOs out there in the world. These are people who know instinctively when to ignore the numbers and execute.
Yes, America, good strong leadership can trump adversity if you know how and when to apply it.
Posted in Odds-n-Sods | No Comments »
Fan page for the band The Zombies. It’s a different kind of zombie, so read on:
“The Zombies were a British pop group of the 1960s. Following The Beatles in 1964 as part of ‘The British Invasion’ of the USA, they were the second UK group to score an American #1 hit.”
Posted in Zombies | No Comments »
One idea I’ve been mulling over the past couple of weeks is the amount of crossover skills that information security people need to get things done. We’re almost coming to the point where we admit that we need this kind of crossbreeding to get new ideas into the IT security industry.
2 people that I think are on most of the New School’s closet reading list: Seth Godin and Malcolm Gladwell.
Seth Godin lives in New York and dreams about how he can get your attention by using a trained army of purple cows. Unfortunately, there is an army of purple cows, people being uncreative for the most part, and now the most interesting thing you can do is to be a yellow giant wooden badger. If you think that the phrase “Think outside the box” is in itself thinking inside the box, then Seth’s blog should be an interesting read.
Malcolm Gladwell is an overly smart person with Sideshow-Bob hair. He wrote some little article called “The Tipping Point” that eventually he expanded into a book and people have been fawning all over him since. If you believe that sometimes the right thing to do is the counterintuitive thing thing to do, then Malcolm is your guy.
Posted in Odds-n-Sods | 2 Comments »
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email