Tag Archives: Gartner

Security metrics anti-design patterns

I’ve been thinking recently about how most of our clients don’t collect security metrics. Then I got thinking about how there are anti-design patterns that typify firms with a higher level of vulnerability to a major data loss event.

Running security is not different from running a business – you have assets and threats, vulnerabilities and resources to protect the assets. There are widely accepted and practiced revenue models, costing models and performance metrics for businesses of all shapes and sizes, yet information security has not reached this stage of maturity. Taking two security standards as an example (ISO27001/27002 and PCI DSS 1.2) – it is clear that a well-structured list of security controls is not a substitute for measuring security control effectiveness.

So – how can we use anti-design patterns for diagnosing a firm with potential security issues?

Let’s start by looking how a typical business uses metrics.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

7 tips to improve security in a tough economy

Are you waiting for the next Gartner Security Report, making plans to evaluate some technology your CEO might not approve after she slashes your funding and maybe your job?

As a security professional, you can blame hackers, buggy software and the economy – or you can do something different.

“Life is what happens to you while you are  busy making other plans.”
-John Lennon

7 steps you can take right now to improve security in a slow economy

1.  Do not buy security technology, Add business Value.

Many companies equate information security with information technology. This is mistake. Do not buy . . . instead add value. Take your existing security products and services, create something new and offer it to your customers as a package. Why? Because you have already paid for implementation, you only have to absorb the cost of your time and internal marketing instead of taking money out of the company bottom line when you buy and implement new technologies.

2. Attack Now or Be Eaten Later!

Are you wondering how you can trace leaks of sensitive marketing documents?  Scared whitless about how your competitors will hack that new Oracle J2EE self-service application, customer service is rolling out?  Attack your own systems. Now.  Wait and you will be lunch for the sharks.

3. Reinvent your offerings

Whether you are an independent security consultant or engineer in company with 100,000 employees – you  have customers. Customers are our bosses. If you want job security, then create new interest with your customers. Repackage and rename the services you sell your customers. Start small – for example by offering attack modeling for one business unit in your company, and grow your internal practice over time with word of mouth marketing.

4. Do not hang on at any cost

Do not wait if your company starts getting engulfed in the firestorm. Your security skills are transferable to other industries, other disciplines. There are other opportunities – you will find them and survive.

5. Change your business model

If your customers cannot afford what you sell – change the rules.   Paying too much money to manage MS Exchange and  a lot of content security – drop it and migrate to Google Applications. Now is the time to make the change.

6. Do not be cheap.
This one is directed to executives. The last big downturn, I remember in 2002 got worse in 2003 and executives were looking to hire on the cheap – people with narrowly-focussed skill sets.  Not a good move.  A security professional who is smart, can hack and can communicate and costs 50% more is worth 4 or 5 of the coffee drinkers who maintain your firewall.

7. Take Action.

Do not stress out about the economy.  While you are thinking about how to negotiate a 75% discount from the new data  loss prevention system you really need – your competitors will be all over you   Take action – invest in monitoring internal transactions and start shutting down the vulnerabilities you never saw before.

Tell your friends and colleagues about us. Thanks!
Share this