Managing Security in Large Organizations

Posted July 27th, 2007 by

Interesting news article about some of Boeing’s problems.

This is an industry problem, one that we don’t talk about too much, and the heart of it is that it’s hard to manage security in huge organizations. Sure, there is the infosec frameworks like 7799/27001, FISMA, etc. If you look at the fairly undeveloped pieces of security, you’ll notice some trends:

  • At the tactical level, we know vulnerability scanning, exploit writing, and hardening standards.
  • At the operational level (Army sense of operational–we’re talking brigades and divisions here), we have risk management, certification, and my favorite whipping-boy, compliance.
  • At the strategic level, we have enterprise architecture, inventory management, and capital planning.

My opinion, and it’s purely opinion, is that as you progress up the ladder to strategy, there is less and less of a knowledge base and a higher rate of opportunity for charlatans. But then again, it echoes IT management in general–everybody knows how to build a fairly secure server, not a whole lot of people know how to manage IT infrastructure for 75K users.

Purely as a sidenote, ISM-Community is working to be a player in the operational and strategic area of security, I’m just trying to figure out how to get more people involved.



Similar Posts:

Posted in ISM-Community, The Guerilla CISO, What Doesn't Work, What Works | No Comments »

Being a PR Wonk is Hard

Posted July 3rd, 2007 by

So I’ve gotten ISM-Community a wee little bit of press over the past week.

Dark Reading

IT Backbones Security

About the best advice I’ve gotten on PR stuff was from Paul Graham’s essay The Submarine:

A good flatterer doesn’t lie, but tells his victim selective truths (what a nice color your eyes are). Good PR firms use the same strategy: they give reporters stories that are true, but whose truth favors their clients.”

In other words, I wrote our press release so that it was easy to cut and paste the sections that a reporter would want.  Instead of giving them a list of facts, I gave them a modular story with some good quotes that could be cut off whenever they wanted.

Anyway, you’re hearing about me being a PR wonk because that’s about all I have time for right now.  I can’t talk work-related stuff because for the next couple of weeks it’s all stuff that nobody needs to know about–covert missions and whatnot.  =)



Similar Posts:

Posted in ISM-Community, Odds-n-Sods | 3 Comments »

Top Ten Announcement/Press Release Now Up

Posted June 29th, 2007 by

But you probably knew that already, didn’t you? =)

Get it all here



Similar Posts:

Posted in ISM-Community, Odds-n-Sods | 1 Comment »

Making Press Releases

Posted June 28th, 2007 by

I spent last night writing a press release for ISM-Community Top Ten.  Press of the world, be warned, you will be hearing from me soon.

Anyway, lessons learned from writing a press release:

  • Geeks hate hyperbole
  • Security geeks hate hyperbole even more
  • There is a big need for marketing people to learn how to talk “security dweeb” and there is a need for security managers to learn how to talk to “marketing dweebs”
  • Have a stock supply of quotes from people associated with the project to put wherever you see fit–collecting them at the last minute is hard to do
  • Don’t ever volunteer again =)

Seriously, though, it’s good skills to learn, even if you think you’ll never need them again.



Similar Posts:

Posted in ISM-Community, Odds-n-Sods | 2 Comments »

Open Letter to New Security Manager

Posted June 27th, 2007 by

Let me be one of the first to congratulate you. Whether your title is CISO, ISSO, Manager, or Consultant, being a security manager is an accomplishment.

Now for the bad news:   You need to go into the job knowing that you will always be short on people, time, and money.  Good people are hard to come by, and as soon as you get them trained up, they’ll change jobs because they outgrew what you hired them to do.  Time is critical because effective security requires cooperation with all the other business disciplines which takes time and effort.  Security is seen as a cost center, so any good business will try to limit security spending in order to maximize their profit.

My friends at ISM-Community have developed an Information Security Management Top 10 document with some very solid practical advice for how to survive in today’s security environment.  Think of it as a list of meta-themes that all successful security managers and programs have in common.

The ISM Top 10 doesn’t solve all of your people, time, and money problems, but it can help you to recognize trends and set a long-term strategy to winning.



Similar Posts:

Posted in ISM-Community, Risk Management, What Works | 2 Comments »

CISO’s “Book of Death” for June 22nd

Posted June 23rd, 2007 by

I just posted my most recent update to my CISO’s “Book of Death” as a file on ISM-Community. It’s just a collection of spreadsheets I’ve used over the past year or so.

As usual, you can throw me questions, comments, or war stories. I especially like to hear where and how you’re using any of the spreadsheets or what doesn’t work for you, and I added a front sheet in this version with contact information for me so you could reach me.

Original “Book of Death” is here.



Similar Posts:

Posted in ISM-Community, The Guerilla CISO, What Works | No Comments »

« Previous Entries


Visitor Geolocationing Widget: