NIST Security Automation Conference

Posted September 13th, 2010 by

It’s at the end of September, check it out.  Even if you’re not in the vulnerability/patch rat race on a daily basis, it would “behoove” you to go check out what’s new.  If you’ve been paying attention to OMB Memo 10-15, you’ll notice that Cyberscope takes some SCAP input.



Similar Posts:

Posted in FISMA, NIST, Technical | 1 Comment »
Tags:

Bolt-On Security

Posted August 19th, 2010 by

Build security in or bolt it on afterwords? Our IKANHAZFIZMA LOLCATS have an opinion on this today.



Similar Posts:

Posted in IKANHAZFIZMA | 1 Comment »
Tags:

Thought-Terminating Cliches and Infosec

Posted August 17th, 2010 by

Reference: Thought-Terminating Cliches.  They’re such a ugly things and all over the security industry and need to die, mostly because these things are so obvious that they need to die so we can introduce new ideas.

Just starting a collection, feel free to add more:

  • Compliant doesn’t mean secure.
  • You can always go above the minimum baseline.
  • You don’t know what you don’t know.
  • Security is a journey, not a destination.
  • We all know that $Foo is dying/dead/failing/stillborn.
  • There is no silver bullet.
  • It’s security, it’s supposed to be hard.


Similar Posts:

Posted in Rants | 7 Comments »
Tags:

Traffic Analysis and Rebuilding C&A

Posted August 17th, 2010 by

For some reason, “Rebuilding C&A” has been a perennial traffic magnet for me for a year or so now.  Seeing how that particular post was written in 2007, I find this an interesting stat.  Maybe I hit all the SEO terms right.  Or maybe the zeitgeist of the Information Assurance community is how to do it right.  Anyway, if you’re in Government and information security, it might be worthwhile to check out this old nugget of wisdom from yesteryear.



Similar Posts:

Posted in FISMA, NIST, The Guerilla CISO | No Comments »
Tags:

Metricon 5 Wrapup

Posted August 13th, 2010 by

Metricon 5 was this week, it was a blast you should have been there.

One of the things the program committee worked on was more of a practitioner focus.  I think the whole event was a good mix between theory and application and the overall blend was really, really good. Talking to the speakers before the event was much awesome as I could give them feedback on their talk proposal and then see how that conversation led to an awe-inspiring presentation.

I brought a couple security manager folks I know along with me and their opinion was that the event was way awesome. If you’re one of my blog readers and didn’t hunt me down and say hi, then whatcha waitin’ for, drop me an email and we’ll chat.

You can go check out the slides and papers at the Security Metrics site.

My slides are below.  I’m not sure if I was maybe a bit too far “out there” (I do that from time to time) but what I’m really looking for is a scorecard so that we can consciously build regulation and compliance frameworks instead of the way we’ve been doing it. This would help tremendously with public policy, industry self-regulation, and anybody who is trying to build their own framework.



Similar Posts:

Posted in Public Policy, Speaking | 1 Comment »
Tags:

Security Metrics

Posted August 12th, 2010 by

A common theme for me this year:  as a security manager, how do you use metrics to tell your boss that you’re doing a good job and yet at the same time you’re doing a bad job and need more money, time, and resources?



Similar Posts:

Posted in IKANHAZFIZMA | 1 Comment »
Tags:

« Previous Entries Next Entries »


Visitor Geolocationing Widget: