Our man Gunnar starts a recent post with:
Security Metrics crying need is for metrics that serve others, outside of info sec.
Every so often I realize how spoiled I am. Sure, I am more aware of my good fortune than many, but I definitely take way too much stuff for granted. My health is good. I do what I like (most days). My family still seems to like me. I provide enough to live a pretty good lifestyle. It’s all good. I don’t have much to complain about.
In the first two posts of this series we suggested that any security awareness training program needs to be focused on the proper outcomes and driven by great content. Let’s not forget the unassailable truth that the success of any security initiative is based on building momentum and making demonstrable progress early in the deployment cycle. This is not only the case for projects that involve implementing shiny boxes to block things. With a program as visible as security awareness training,…
Hey everyone,
As you know, we try to make our research process as open and transparent as possible. We know any research that ends up with a vendor logo on it somewhere is viewed with justified skepticism, so our goal is to combat that perception of bias with radical transparency.
I have been taking a lot of end-user calls on compliance lately. PCI, GLBA, Sarbanes-Oxley, state privacy laws, and the like. Today I was struck by how consistently these calls are more challenging than security discussions. With security users want to address a fairly well-defined problem. For example “How do we stop our IP from leaving the organization?” or “How can we protect users from phishing?” or “How do we verify administrator activity?” These discussions are far easier because of their…
As we come back to the Security Awareness Training Evolution series after our two-week hiatus, let’s revisit some of the key issues described in the introduction. We made the case that for liability, compliance, and even security reasons you can’t really decide not to train your users about security. Of course you could, but it would be counterproductive – you need to be realistic, and accept that you cannot reach every employee and employees do stupid things. But you can reach some, if not…
Back when I managed people (and yes, it seems like a lifetime ago), I subscribed to the Gallup management concepts. Productivity is based on employee engagement, and employees are much more engaged when they are doing things they are good at. The book First, Break All the Rules was eye-opening – I have spent my entire career to date trying to make my weaknesses less weak, and not trying to improve my strengths.
Evidently security as an industry does a crappy job at generating interest within kids today. How are we going to fill the massive skills gap we face, if we can’t get students interested in security from an early age. Right? RIGHT?
On Tuesday – that’s tomorrow for you working this Columbus day – Gunnar Peterson and I will be taking about API gateways with Intel’s Travis Broughton. We will run this webcast as an open discussion, and focus on the practical questions and issues of using API gateways. Our goal is to focus on end-user questions we have been getting, so bring your questions too – we plan to be very interactive. You can sign up here: API Gateways: Where Security Enables Innovation.
Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn.