Maybe I’ve been working on slide decks for too long.  That’s why I haven’t been blogging much over the past week:  when you spend 8 hours a day revising and formatting slides, your brain turns to jello.

Then suddenly on Tuesday, it hit me:  the Government’s problem with security is one of scale.  And at this point you all go “Duh, where have you been for the past 200 years?”  And yes, it’s not a problem exclusive to security, it goes hand-in-hand with personnel management, financial management, $foo management, and $bar management

Large-Scale Scaley Carp Photo by radcarper

Now the scale in itself isn’t really the problem, it’s that we don’t have information security models that scale to that level.  And what I mean by that is that each agency is pretty much their own enterprise.  The entire executive branch is one huge federation of independent enterprises (and some of the enterprises are federated, but we’ll ignore that for the time being).  Most of our existing thoughts on information security management are focused on the enterprise, and the only hope to use them is to manage each enterprise separately.

Really, folks, we don’t have information security models that scale up as massively as we need to, and what we’ve been doing is borrowing from other fields, most notably Federal law and public accounting.  Unfortunately for us, these are models based on compliance, not risk management.  Even then, I don’t see the compliance angle going away anytime soon.

Now this is the really big problem:  everybody has some kind of criticism about how the Government runs their information security.  But I don’t see anybody with a viable alternative, nor do I expect to see one because the only people with problems on this scale are large governments.

Bookmark to:

Hide Sites

OK, I saw this really cool widget on a blog somewhere.  It tests the literacy level of your blog and tells you at what level you write.  Sure, OK, I’ll bite.  Bloggers love bling, dontcha know?

Fortunately for anybody who has eyes, the code that the site gives you to put the widget on your blog contains a SEO-spamming link.  Oh joy, it’s easily removable if you’re halfway knowledgeable.  But you still can use the textbox to feed urls to the machine.

Anyway, in the interest of science and all things egotastical, I submitted some sample security blogs and was highly surprised at some of the results.  My rundown on how particular sites rate:

• Emergent Chaos, Adam et al http://www.emergentchaos.com/ Junior High School
• Shrdlu http://layer8.itsecuritygeek.com/ Junior High School
• Anton Chuvakin http://chuvakin.wordpress.com/ Junior High School
• Me http://www.guerilla-ciso.com/ High School
• Rich Mogull http://www.securosis.com/ High School
• Gunnar Peterson http://1raindrop.typepad.com/1_raindrop/ High School
• Alex Hutton http://www.riskanalys.is/ High School
• Mark Curphey http://www.securitybuddha.com/ College (undergrad)
• Chris Hoff http://rationalsecurity.typepad.com/ College (postgrad)
• Martin McKeay http://www.mckeay.net/ College (postgrad)
• Amrit Williams http://techbuddha.wordpress.com/ Genius!!

Now if I check out Amrit’s blog tomorrow and he’s got a genius sticker displayed prominently on his site, I’ll take the blame and rage from the blogosphere.  It’s only fitting.

To be honest, I’m surprised I didn’t come in at the preschool level, what with my lowbrow sense of humor and all.  =)

Bookmark to:

Hide Sites

The US Army occassionally does things right.

Well, one of the things that they do right is training. Our training process for squad and above is mostly focused around the Observer-Controller (OC) and their value proposition (my MBA word for the day, TYVM). Whenever you are training, there is an OC tagging right along with you to assess what and why you are doing something and then make recommendations at the end.

 

Observer-Controllers hard at work, photo by David Axe

What an OC brings with them (aside from their 31337 BBQ Ski11z):

• Experience of having seen the same task done hundreds of times with various groups.
• A strong understanding of the doctrinally-correct way to do a task.
• Techniques to fill out where doctrine is not specific enough.
• Sometimes they have pre-written standard operating procedures that they will share with you.

What an OC will never do:

• Use you resources to support themselves.
• Own the solution space for you.
• Criticize you in front of your troops.
• Interfere with your ability to do your mission.

Hmmm, sounds like the things that a good auditor does.

Auditors are in a fantastic position to help the auditee because of the wide range of experience in how other companies have been doing the exact same thing that you are doing.  Point is, there is a level of collusion that needs to happen between the auditor and the auditee, and the extent of that collusion is really what we’re talking about when we start looking at Separation of Duties and similar things.

Over the years, auditors and auditees have had the nature of their relationship change numerous times. Around the time of Sarbanes-Oxley, the pendulum swung wildly the way of “no relationship no how” and now it’s slowly moving back to somewhere normal. Here’s a podcast with Michael Oxley talking about how auditors need to collude better with the auditee.  Disclaimer:  this is part of a series that is produced by my firm, but I had no part in this, Mkay?

Here in DC, we have a saying (Ok, I made it up my own self):  “Collusion is not just a technique, it’s THE technique.”  =)

Bookmark to:

Hide Sites

I don’t know where to start with this one:  zombies riding motorcycles.

Bookmark to:

Hide Sites