The case for a guild of security consultants
The notion of a security consultant guild is a seductive idea. Promoting quality, defining service levels and enhancing professional standing are good things, but there is a red ocean of professional forums so – I would not just jump in and start a guild. Just take a look at forums like LinkedIn and Infosec Island […]
Professional skill sets
We spent the past week in Tzfat (Safed) – situated in the northern part of Israel and with a 900meter elevation, the weather is cool and dry and a welcome relief from the humidity and heat of Tel Aviv. We met a couple at dinner one evening – the husband is a retired aerospace software […]
Health insurer data breaches
switched.com is having trouble understanding the attack vector of a data breach. They apparently believe that software vulnerabilities can be mitigated by consumers “actively protecting their information”. Hackers recently attacked WellPoint, a health insurer which reportedly covers 34 million people. As a result of the breach, the company notified 470,000 individual customers that confidential information, […]
Operational risk management – what we really need
Operational risk management has been the buzz word du-jour in recent years, due to the Basel II initiative in the banking industry and Solvency II in the insurance industry. The Basel II definition of operational risk is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.” […]
The next generation of risk analysis
“What me worry – I’ve got a regulatory check list and an enterprise risk management system to manage the process”. I want to talk about under-thinking the risk analysis and over-spending on the solution. I believe that there is a fundamental flaw in enterprise risk management systems – they don’t really tell the organization something […]
Facebook disclosure cancels raid on terrorists
I want to challenge the effectiveness of top-down, monolithic security frameworks (ISO 27001/PCI DSS) – I submit that rapidly changing threats – social networking, cyberstalking, social engineering, cyber-stalking and custom spyware are threats that exploit people and system vulnerabilities but are not readily mitigated by a top down set of security countermeasures. The recent case […]
Content protection and plagiarism
Most people tend to view content protection as a recording industry or corporate espionage issue. We have forgotten that people who plagiarize original content are also violating content security – someone else’s security in this case. My colleague Anthony Freed (who runs Information Security Resources) recently got an email from computer scientist and mathematician, Aaron Krowne. Aaron got […]
Business unit strategy for data security
At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. Hmm. This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to […]
Dissonance is bad for business
In music, dissonance is sound quality which seems “unstable”, and has an aural “need” to “resolve” to a “stable” consonance. Leading up to the Al Quaeda attack on the US in 9/11, the FBI investigated, the CIA analyzed but no one bothered to discuss the impact of Saudis learning to fly but not land airplanes. […]
Third party verification of verbal agreements
My lawyer once told me that I should be careful with verbal commitments since a verbal commitment can often be construed as a binding agreement. The question is how to verify the verbal agreement and enforce non-repudiation? There are many cases in life where you want to be able to verify a verbal commitment using […]
