IT is about executing predictable business processes. Security is about reducing the impact of unpredictable attacks to a your organization. IT and security adopt a common goal and a common language – a language of customer-centric threat modelling Typically, when a company ( business unit, department or manager) needs a line of business software application, IT …
Read more »Information security is very much product driven and very much network perimeter security driven at that: firewalls, IPS, DLP, anti-virus, database firewalls, application firewalls, security information management systems and more. It is convenient for a customer to buy a product and feel “secure” but, as businesses become more and more interconnected, as cloud services …
Read more »I’ve been recently writing about why Microsoft Windows and the Microsoft monoculture in general is a bad idea for medical device vendors – see my essays on Windows vulnerabilities and medical devices here, here and here. It is now time to slaughter one more sacred cow: SSL. One of the most prevalent misconceptions with vendors in …
Read more »Whether you’re an account manager at Cisco, a programming geek in an Israeli startup, an expert on PCI DSS 2.0 or an industry authority on CRM; you must understand the culture in your workplace in addition to your professional skills in order to effectively manage risk and comply with regulation. If you alienate people – …
Read more »Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation. Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices …
Read more »A metaphor I like to use with clients compares security vulnerabilities with seismic fault lines. As long as the earth doesn’t move – you’re safe, but once things start moving sideways – you can drop into a big hole. Most security vulnerabilities reside in the cracks of systems and organizational integration and during an M&A, those …
Read more »The notion of a security consultant guild is a seductive idea. Promoting quality, defining service levels and enhancing professional standing are good things, but there is a red ocean of professional forums so – I would not just jump in and start a guild. Just take a look at forums like LinkedIn and Infosec Island …
Read more »Are the security lights on, but no one is home at your company? An April 2010 survey of 80 chief security officers and over 200 members of ASIS International (a trade association for corporate security professionals) basically says that while most large organizations have risk analysis processes – there is no one in charge of risk …
Read more »There is a lot to be said for preventing data loss at the point of use but if you are considering endpoint DLP (data loss prevention), I recommend against buying and deploying an integrated DLP/Anti-virus end-point security agent. This is for 4 reasons: Bloatware/system resource consumption – if you’re concerned with anti-virus system resource usage, …
Read more »With all due respect to Varonis and access controls in general (Just the area of Sharepoint is a fertile market for data security), the problem of internally-launched attacks is that they are all done by the “right” people and / or by software agents who have the “right” access rights. There are 3 general classes …
Read more »