Posted December 24th, 2008 by
rybolov
Not that I’m creative enough to come up with this, the guilty parties behind the werds are shrdlu and danphilpott.
Similar Posts:
Posted in IKANHAZFIZMA | 1 Comment »
Tags: fisma • government • infosec • lolcats • security
Posted December 18th, 2008 by
rybolov
What do you get when you have too many observers and not enough doers? You get the current state of oversight in the Government’s IT security implementation. With the focus supposedly switching from building projects to continuous monitoring, it leaves a question lingering in the back of my mind: are the auditors going to switch to near-real-time observation?
Hence, the age-old cybersecurity question:
Similar Posts:
Posted in IKANHAZFIZMA | 3 Comments »
Tags: auditor • catalogofcontrols • compliance • government • infosec • lolcats • management • security
Posted December 16th, 2008 by
rybolov
I love transition time. We get all sorts of strange people who come in, issue their letters on how they think the Government can solve the major cybersecurity issues for both the Government’s IT systems and for the rest of the US as a whole. And then, they all leave.
Nobody actually implements the suggestions because it takes time, effort, and money to get them done, and all that anybody ever wants to give is talk. Talk is cheap, security is not.
Many years ago when I became an infantryman, our guest speaker at graduation made one of the most profound statements that I remember over 8 years later: “Infantrymen vote with their feet”. In other words, we’re doers, not talkers, and at one point in our lives we decided that something was important enough to give up 4 years of our lives, maybe more, for this cause. Even Colonel Davy Crockett after he lost re-election to the House of Representatives wrote “I told the people of my district that I would serve them as faithfully as I had done; but if not … you may all go to hell, and I will go to Texas.” He died less than 3 years later at the Alamo. That, ladies and gentlemen, is how you vote with your feet.
My personal belief is that the primary problem the Government has with security (on both sides of the InfoSec Equities Issue) is that there is a lack of skilled security practitioners upon which to draw from. If you think about everything we’ve done to date, it’s almost always a way of compensating for our lack of skilled people:
- Reducing security to a bunch of checklists
- Providing templates to non-security staff
- Automation wherever possible
- “Importing” non-security specialists such as accountants and technical writers in security roles
- Building a “Franchise Kit” upon which to base a security program
- Reserving key decisions for trained security staff
As an industry, we have failed (at least in the public sector) at generating people with the skills to do the job.
And in light of this, my challenge to you: have a good idea and think you know how to solve the information security? Yes, we need those, but what we really need are IT security infantrymen who are willing to be doers instead of talkers. To answer the title of my blog post, the thing that the Government is missing is you.
Infantry Action Photo by Army.mil
So how can you help? I know moving to DC is a bit of a stretch for most of you to do. This is a short list of ideas what you can do:
- Learn how the Government secures systems: don’t just dismiss outright what people in DC are doing because conventional wisdom says that it is failing miserably, and don’t listen to people who do the same.
- Actively recruitment of techies to “embrace the dark side” and become security people: We need more technically-savvy security people.
- Answer the call from DHS when it comes: living in DC is isolating from the rest of the world and all fo the good ideas that are out there. Maybe you have a phenomenal microstrategy on how to secure IT. They/we need to know them. The Government cannot succeed at securing cyberspace (whatever your interpretation of that phrase means) without input from the private sector.
- Don’t engage the Government only when there’s money in it for you. ~$8B is a ton of money, but if you’re doing your job right as a vendor, you’re solving their problems as a first priority, not a second.
- Build a better education system for security staff and make better career paths to get people from the technical disciplines into security.
Similar Posts:
Posted in Army, Rants, The Guerilla CISO | 8 Comments »
Tags: blog • dhs • government • infosec • security • training
Posted December 15th, 2008 by
mini-me
So rybolov asked for another guest blog and a hot topic on my mind recently is training. Training in the IT world is kind of like the chicken before the egg argument – every employer whats you to have the latest Security F00$ training but they never want to pay for it. What is an IT professional to do?
So why are the majority of employers hesitant to train their IT staff? Are they afraid they are going to bring new skills to your resume and then you will jump ship to the next “jump and bump opportunity”? Or do they really have funding shortfalls and budget cuts to to prevent you from taking that 7 day Bahamas IT training cruise you wanted wanted to take this winter? My take is that it is probably a little bit of both.
Let’s think about this for a minute. You are a cash-strapped IT Manager at $your_organization_name_here and have limited funding for a never-ending list of training requests. In your attempt to balance training with the rest of your budget, you eventually have to cut training to the bare minimum. If you do splurge and spend the money to send an employee to the latest security F00$ training, the next time he/she is unhappy they might leave. But chances are you have program requirements that dictate some level of yearly training that is required. This situation can also be double whammy if you are in a consulting or contracting role where opportunity costs also means you are not billable during your time in training.
My suggestion is to strike some kind of balance to make both the employee and IT management happy. If you are in the role of government management, consider the possibility of allowing your contracting/consulting staff to bill their training hours to the program instead of going on company overhead. Another possibility to consider is if you involved in IT management in the consulting/private/commercial sector, consider offering a reasonable allowance each year towards training. It does not have to be huge amount of money to pay for an expensive 10 day conference out of town but enough to pay the tuition for a week long training class. This will show the employee that you are serious about keeping them current in their career field but at the same time put some effort on them to be reasonable with their training requests. Depending on your geographic location, you can usually find job related training locally, especially if you are located anywhere near the beltway.
I was recently faced with this dilemma in my current position. We were told training funding was not available this year and that we would have to wait until next year. After thinking about this for a while, I approached my manager with an idea they bought into. I identified an area within my field that I have really wanted to get into the last few years but the opportunity never presented itself. Since we have the need for this skill and the organization was planning on investing in this area in 2009, I offered to pay my own tuition to attend this training if they would allow me use PTO for the classes. They agreed and I purchased a one-year training package that will allow me to attend an unlimited number of classes from the vendor over the next year. When training funding becomes available again next year, we are planning on putting my training allowance towards travel costs. In the end, I was able to turn the situation into a win-win for both my employer and my skills set. In a world of shrinking IT budgets, a little creativity can go a long way in meeting your training goals.
Football Training photo by melyviz
Similar Posts:
Posted in Odds-n-Sods, What Works | 3 Comments »
Tags: cashcows • certification • government • infosec • infosharing • management • moneymoneymoney • security • training
Posted December 15th, 2008 by
rybolov
It’s probably a shocker to most people, but I’m going to recommend that S.3474 be amended or die on the Senate floor like Caesar.
I’ve spent many hours reading over S.3474. I’ve read the press releases and articles about it. I’ve had some very difficult conversations with my very smart friends.
I’ve come to the conclusion that S.3474 as written/proposed by Senators Carper and Leiberman is not the answer to information security in the Government as it has been publicized repeatedly, and that anyone who believes the hype is in for a rude surprise next fall if the bill is ratified and signed.
My thoughts on the matter:
- S.3474 is not what it is being publicized as. The people who write the press releases and the articles would have us believe that S.3474 is a rewrite of FISMA 2002 and that it focuses on continuous monitoring of the security of IT systems, both of which are a good thing. First and foremost, it does not repeal FISMA 2002, and anyone saying that is simply trying to deceive you. S.3474 adds to the FISMA 2002 requirements and codifies the role and responsibility of the agency CISO.
- S.3474 does not solve the core problem. The core problem with security and the Government is that there is a lack of a skilled workforce. This is a strategic issue that a bill aimed at execution of security programs cannot solve by itself.
- S.3474 adds to the existing checklists. People have been talking about how S.3474 will end the days of checklists and auditors. No, it doesn’t work that way, nor is the bill written to reduce the audits and checklists. When you introduce new legislation that adds to existing legislation, it means that you have added more items to the existing checklists. In particular, the provisions pertaining to the CISO’s responsibilities are audit nightmares–for instance, “How do you maintain a network disconnect capability as required by FISMA 2008” opens up a whole Pandora’s Box worth of “audit requirements” which are exactly what’s wrong with the way FISMA 2002 has been implemented.
- S.3474 puts too much of the responsibilities on the CISO. It’s backwards thought, people. The true responsibility for security inside of an agency falls upon that political appointee who is the agency head. Those are the people who make the decisions to do “unsafe acts”.
- S.3474 does not solve any problems that need a solution. Plain and simple, it just enumerates the perceived failings of FISMA 2002. It’s more like a post-divorce transition lover who is everything that your ex-spouse is not. Let’s see… technical controls? Already got them. Requirements for network monitoring? Already got them. 2nd party audits? Already got them. Requirements for contractors? Already got them. Food for thought is that these exist in the form of guidance, does the security community as a whole feel that we need to take these and turn them into law that takes years to get changed to keep up with the pace of technology? There is some kind of segue there into Ranum talking about how one day we will all work for the lawyers.
Of course, this is all my opinion and you can feel free to disagree. In fact, please do, I want to hear your opinion. But first and foremost, go read the bill.
i haz a veto pen photo by silas216
Similar Posts:
Posted in FISMA, Rants, The Guerilla CISO, What Doesn't Work | 3 Comments »
Tags: comments • fisma • FUD • government • infosec • itsatrap • law • legislation • publicpolicy • S3474
Posted December 11th, 2008 by
rybolov
Best job in the Government today: all the money and a mission to spend it on. You know the old saying “Either you’re driving the bus or you’re under it”? Well, these guys drive.
Similar Posts:
Posted in IKANHAZFIZMA | 1 Comment »
Tags: cashcows • government • infosec • lolcats • management • moneymoneymoney • security