Posted August 17th, 2010 by rybolov
For some reason, “Rebuilding C&A” has been a perennial traffic magnet for me for a year or so now. Seeing how that particular post was written in 2007, I find this an interesting stat. Maybe I hit all the SEO terms right. Or maybe the zeitgeist of the Information Assurance community is how to do it right. Anyway, if you’re in Government and information security, it might be worthwhile to check out this old nugget of wisdom from yesteryear.
Posted in FISMA, NIST, The Guerilla CISO | No Comments »
Tags: 800-37 • 800-53 • accreditation • C&A • certification • comments • compliance • fisma • government • infosec • management • NIST • security
Posted April 7th, 2010 by rybolov
Just a quick post to shill for Privacy Camp DC 2010 which will be taking place on the 17th of April in downtown DC. I went last year and it was much fun. The conversation ranged from recommendations for a rewrite of
The basic rundown of Privacy Camp is that it’s run like a Barcamp where the attendees are also the organizers and presenters. If you’re tired of going to death-by-powerpoint, this is the place for you. And it’s not just for government-types, there is a wide representation from non-profits and regular old commercial companies.
Anyway, what are you waiting for? Go sign up now.
Posted in Odds-n-Sods, Public Policy, The Guerilla CISO | 1 Comment »
Tags: government • infosec • infosharing • law • legislation • management • privacy • publicpolicy • security
Posted March 28th, 2010 by rybolov
OK, so now for some news about me if you haven’t seen it on twitter (You’re a security geek not on twitter? Check out the Cool Kids Club and get involved). Earlier this month I changed jobs and am now the Security Evangelist for Akamai–basically telling the story of our security team and the platform and what we do right. I’m still doing some Federal business but I’ve also picked up responsibility for commercial customers. And yes, I’ve slowed down on the antics a bit to let the dust settle.
In other news, My Favorite Govie and I are back to teaching our Public Policy and Information Security class for CMU. Much has changed in the time since we started the class a year and a half ago:
- The 60-Day Review was completed and finally released. Thanks to Melissa Hathaway for the hours she put into this, now let’s get the calls-to-action done.
- The President actually had a press conference about IT security. Now how to convert that attitude to something actionable.
- We finally have a Cybersecurity Coordinator. Go Howard! I think the biggest thing that he will accomplish is to scope his job and build his authority.
- Verizon released their newer, badder, and stronger Data Breach Investigation Report. Like it or not, they’re still the only people releasing data.
And then some things have stayed the same:
- We’re still wasting half of the Government’s security spending, we just can’t figure out which half.
- The Government’s InfoSec metrics still suck.
- FISMA hasn’t died.
- SANS still reminds us that FISMA is failing. =)
Posted in The Guerilla CISO | 2 Comments »
Tags: akamai • publicpolicy
Posted October 16th, 2009 by rybolov
My presentation slides from Sector 2009. This was a really fun conference, the Ontario people are really, really nice.
The US Federal Government is the world’s largest consumer of IT products and, by extension, one of the largest consumers of IT security products and services. This talk covers some of the problems with security on such a massive scale; how and why some technical, operational, and managerial solutions are working or not working; and how these lessons can be applied to smaller-scale security environments.
Posted in FISMA, NIST, Public Policy, Speaking, The Guerilla CISO, What Works | No Comments »
Tags: catalogofcontrols • certification • compliance • fisma • government • infosec • infosharing • law • legislation • management • publicpolicy • scalability • scap • security • speaking
Posted September 21st, 2009 by rybolov
Been busy lately. This is a quick rundown on where I’ll be over the next couple of months so you can stalk me.
- October 5-7: SecTor, Toronto, ON, Canada. I’ll be talking about “Massively Scaled Security Solutions for Massively Scaled IT” which an allusion to the size of the US Federal Government IT budget and techniques that they use to manage it. The Rybolov Layered Information Security Management Model seen here earlier weighs heavily into the presentation, as does a ton of other ideas trying to get people to understand that hazy information security management area above the enterprise.
- November 6-7: DojoCon, Laurel, MD. I’ll be talking about the “Current State of Compliance” which somewhere along the lines has a punchline of “It’s going to happen anyway, might as well drive the bus instead of being under the bus”. There is also a compliance panel following my talk and I’ll be on it with Cyberhiker and Dan Philpott.
- November 10-14: AppSec DC, Washington, DC. I’ll be running amok making part of the conference work. I’m not speaking at this one which is a good thing because, well, everytime I start talking web apps and security it takes me back to all the bad code I wrote in the late 90’s. But hey, didn’t we all?
So in between preparing slides, running amok as a volunteer, and the usual work-life imbalance, I haven’t had much free time lately to add to the blog. Plenty of ideas and blog fodder are floating around inside my head. After the conventions I’ll put up my materials for the rest of the world to pick on.
Posted in Speaking, The Guerilla CISO | 5 Comments »
Tags: compliance • security • speaking