Build security in or bolt it on afterwords? Our IKANHAZFIZMA LOLCATS have an opinion on this today.

• Lolcats and QR Codes
• Redundant Lolcats
• Lolcats Protect the End Users
• Lolcats Coming to you from the Cloud
• Lolcats, Capital Hill, and a Haiku

Reference: Thought-Terminating Cliches.  They’re such a ugly things and all over the security industry and need to die, mostly because these things are so obvious that they need to die so we can introduce new ideas.

Just starting a collection, feel free to add more:

• Compliant doesn’t mean secure.
• You can always go above the minimum baseline.
• You don’t know what you don’t know.
• Security is a journey, not a destination.
• We all know that $Foo is dying/dead/failing/stillborn.
• There is no silver bullet.
• It’s security, it’s supposed to be hard.

• On Government Employees, Culture, and Survivability
• The Press has Me all Confused
• Now ISC2 Blogs have an Opinion on FISMA
• Inside the Obama Administration’s Cyber Security Agenda
• Beware the Cyber-Katrina!

For some reason, “Rebuilding C&A” has been a perennial traffic magnet for me for a year or so now.  Seeing how that particular post was written in 2007, I find this an interesting stat.  Maybe I hit all the SEO terms right.  Or maybe the zeitgeist of the Information Assurance community is how to do it right.  Anyway, if you’re in Government and information security, it might be worthwhile to check out this old nugget of wisdom from yesteryear.

• GAO’s 5 Steps to “Fix” FISMA
• Old Saint NIST: Ho Ho Hold on, what’s this?
• A Funny Thing Happened Last Week on Capital Hill
• “Machines Don’t Cause Risk, People Do!”
• The 10 CAG-egorically Wrong Ways to Introduce Standards

Metricon 5 was this week, it was a blast you should have been there.

One of the things the program committee worked on was more of a practitioner focus.  I think the whole event was a good mix between theory and application and the overall blend was really, really good. Talking to the speakers before the event was much awesome as I could give them feedback on their talk proposal and then see how that conversation led to an awe-inspiring presentation.

I brought a couple security manager folks I know along with me and their opinion was that the event was way awesome. If you’re one of my blog readers and didn’t hunt me down and say hi, then whatcha waitin’ for, drop me an email and we’ll chat.

You can go check out the slides and papers at the Security Metrics site.

My slides are below.  I’m not sure if I was maybe a bit too far “out there” (I do that from time to time) but what I’m really looking for is a scorecard so that we can consciously build regulation and compliance frameworks instead of the way we’ve been doing it. This would help tremendously with public policy, industry self-regulation, and anybody who is trying to build their own framework.

• Massively Scaled Security Solutions for Massively Scaled IT
• Why We Need PCI-DSS to Survive
• Building A Modern Security Policy For Social Media and Government
• DojoCon 2009 Presentation
• Professor Rybolov’s Guide to InfoSec and Public Policy Analysis

A common theme for me this year:  as a security manager, how do you use metrics to tell your boss that you’re doing a good job and yet at the same time you’re doing a bad job and need more money, time, and resources?

• SCAP in Lulz
• Oh to be a Program Manager
• Preliminary Findings on Cybersecurity Review Now Out
• Cyber-Ninja Lolcats Caught on Film
• IKANHAZFIZMA Finds Caution Tape

With a shout-out to Chris Paget who generated some of the biggest buzz at Defcon with his GSM hacks.

• Lolcats Attend B-Sides
• Look Out, Sir Bruce, IKANHAZFIZMA is Coming for You
• Preparing for Cybergeddon
• Lolcats Coming to you from the Cloud
• Super Secret Security Control You Were Never Meant To See