Posted July 27th, 2007 by
rybolov
Interesting news article about some of Boeing’s problems.
This is an industry problem, one that we don’t talk about too much, and the heart of it is that it’s hard to manage security in huge organizations. Sure, there is the infosec frameworks like 7799/27001, FISMA, etc. If you look at the fairly undeveloped pieces of security, you’ll notice some trends:
- At the tactical level, we know vulnerability scanning, exploit writing, and hardening standards.
- At the operational level (Army sense of operational–we’re talking brigades and divisions here), we have risk management, certification, and my favorite whipping-boy, compliance.
- At the strategic level, we have enterprise architecture, inventory management, and capital planning.
My opinion, and it’s purely opinion, is that as you progress up the ladder to strategy, there is less and less of a knowledge base and a higher rate of opportunity for charlatans. But then again, it echoes IT management in general–everybody knows how to build a fairly secure server, not a whole lot of people know how to manage IT infrastructure for 75K users.
Purely as a sidenote, ISM-Community is working to be a player in the operational and strategic area of security, I’m just trying to figure out how to get more people involved.
Posted in ISM-Community, The Guerilla CISO, What Doesn't Work, What Works | 
No Comments »
Posted July 3rd, 2007 by
rybolov
So I’ve gotten ISM-Community a wee little bit of press over the past week.
Dark Reading
IT Backbones Security
About the best advice I’ve gotten on PR stuff was from Paul Graham’s essay The Submarine:
“A good flatterer doesn’t lie, but tells his victim selective truths (what a nice color your eyes are). Good PR firms use the same strategy: they give reporters stories that are true, but whose truth favors their clients.”
In other words, I wrote our press release so that it was easy to cut and paste the sections that a reporter would want. Instead of giving them a list of facts, I gave them a modular story with some good quotes that could be cut off whenever they wanted.
Anyway, you’re hearing about me being a PR wonk because that’s about all I have time for right now. I can’t talk work-related stuff because for the next couple of weeks it’s all stuff that nobody needs to know about–covert missions and whatnot. =)
Posted in ISM-Community, Odds-n-Sods | 3 Comments »
Posted June 29th, 2007 by
rybolov
But you probably knew that already, didn’t you? =)
Get it all here
Posted in ISM-Community, Odds-n-Sods | 1 Comment »
Posted June 28th, 2007 by
rybolov
I spent last night writing a press release for ISM-Community Top Ten. Press of the world, be warned, you will be hearing from me soon.
Anyway, lessons learned from writing a press release:
- Geeks hate hyperbole
- Security geeks hate hyperbole even more
- There is a big need for marketing people to learn how to talk “security dweeb” and there is a need for security managers to learn how to talk to “marketing dweebs”
- Have a stock supply of quotes from people associated with the project to put wherever you see fit–collecting them at the last minute is hard to do
- Don’t ever volunteer again =)
Seriously, though, it’s good skills to learn, even if you think you’ll never need them again.
Posted in ISM-Community, Odds-n-Sods | 2 Comments »
Posts RSS
Subscribe via Email
