We had a great turnout on Thursday for the Trainer Communications event: Security Never Sleeps... at Lulu Restaurant for lunch, across from the RSA Conference 2012. Thanks to everyone who attended!
Thursday, March 8, 2012
Security Never Sleeps
We had a great turnout on Thursday for the Trainer Communications event: Security Never Sleeps... at Lulu Restaurant for lunch, across from the RSA Conference 2012. Thanks to everyone who attended!
Friday, February 24, 2012
RSA Conference 2012
This weekend the 2012 RSA Conference begins! I am looking forward to a busy week. Every day is essentially booked from 7am to midnight. I hope to see many of my friends at what has become an annual pilgrimage to San Francisco each spring to catch up on information security trends and technology.
For me, the focus will be on security metrics and risk management, because I've got a talk (Monday morning) and a panel (Wednesday morning), and a half-day seminar (Thursday afternoon) on these topics. It seems the big security issues for 2012 are: Cloud, Mobile, Social Media and Big Data.
I am on another CISO panel at noon Thursday, talking about these security trends. I have been thinking about Big Data for a while now. I find it a fascinating subject - maybe because of my science research background (in a previous life). From the consumer perspective, embedded systems and networked systems are all around us. Data is being collected on your spending habits, Google collects data and with social media, your life is increasingly in the public domain. Now, our cars, tractors and toasters are going to be networked nodes, sending data where you drive, what you plant and how dark you like your bagels back to corporations who will horde it and manipulate it and aggregate it. Security data is coming from standard network devices in the enterprise: the firewalls, routers, IDS... and it is merging with information gathered from badge readers and other "physical security" sources to build up a model of what is "normal" for you... a new biometric, "What You Do". All together, we are looking at mountains of data, and these data sets need to be pared down, while manintaining their integrity, manipulated and analyzed in an ethical and confidential way. This is cool stuff, Maynard!
See you in San Francisco!
Endpoint Security
I recently gave a presentation at the Next Generation Security Summit in Atlanta, GA, on the topic of endpoint protection. I took the approach that endpoints are more than just desktop PCs these days. There is probably some debate on just what defines an endpoint.
Traditionally, the endpoint was the user workstation. Remember back in the early 1990s, when we started giving end users their own computers on their desks, to replace dumb terminals. I think the term “endpoint protection” actually evolved from the model of protecting computers with antivirus, delivered and updated by floppy disks.
We started to see threats increase ten years ago, when more employees started taking laptops home and connecting them to the Internet, and when we switched from dial-up modems to high-bandwidth VPN connections to our wide-open internal corporate networks.
Today, the risk is even greater, and the endpoints are more varied. I don’t think we can just think of Endpoint Security as a desktop security suite. We need to look at all resources that are used for data processing and storage, and we need to move our concern from one use case, to a broader definition that addresses security more holistically.
It is certainly good to be concerned about hardening desktops, but we operate in a more diverse environment, with an enterprise that extends into the cloud, with many different business access needs to address. Therefore, risk is coming at us from all directions and we need to look more holistically at risk management by better protecting the endpoints where our data resides, and one threat to mitigate is going to be the way the data is accessed. We need to do more than just put AV on our computers and call that endpoint protection. We need to focus our resources on the things that are most precious to the business. We do that first by understanding business need. Endpoint protection is a means to an end. We ultimately want to protect intellectual
property, sensitive data and PII, and protect the brand.
I tried to get across the point that endpoint protection needs to be a combination of things, emphasizing the efficacy of layers and security in depth that is more targeted and focused on what is important to protect. This is a work in progress, but I hope you find my slide deck interesting and perhaps even useful in thinking about the problem.
Friday, August 19, 2011
Securing New Technologies
Our nature is to resist change and fear the unknown.
Security isn't about eliminating risk. It isn't about saying no. Security is about knowledge; understanding risk and putting security risk in the right context, so business leaders can make informed decisions. When security is done right, it enables the business to embrace new and potentially transformative technologies and use them wisely to innovate and grow and produce business value. In today's global marketplace, leveraging new technologies to create a competitive advantage can mean the diference between businesses that succeed and those that fall by the wayside.
Today's technology is changing at a rapid pace, the enterprise perimiter is eroding and securing endpoints is not becoming any easier as computing is becoming ubiquitous; becoming embedded in our vehicles and consumer devices, in an increasingly interconnected worldwide web. In order to trust endpoints, transactions and secure information appropriately, technical solutions and standards are necessary but not sufficient themselves to solve the problems we face.
The key to securing new technologies is collecting more and better quantatative data about the threat landscape associated with the technology, as well as device, configuration, event and transaction information. Knowledge comes from the judicious use of this information, given that the answers we get are only as good as the questions we ask. This means taking huge data sets and reducing them to something that is manageable, while maintaining the integrity of the data. Data sharing between peers and in public and private partnerships will help to standardize how we collect and use this data and lead to better threat intelligence and risk management. With a methodical approach to model and use this data, security risk will no longer exist in its own silo, but become a part of the overall evaluation of business risk as meaningful security metrics mature in the coming years.
Change is inevitable and resistance is futile. If we fail to embrace new technologies, we are likely to watch our competitors pass us by. Knowledge is the key to understanding and providing creative ways to manage security risk in the face of uncertainty, and necessary to combat the fear that accompanies new and potentially transformative technologies.
Security isn't about eliminating risk. It isn't about saying no. Security is about knowledge; understanding risk and putting security risk in the right context, so business leaders can make informed decisions. When security is done right, it enables the business to embrace new and potentially transformative technologies and use them wisely to innovate and grow and produce business value. In today's global marketplace, leveraging new technologies to create a competitive advantage can mean the diference between businesses that succeed and those that fall by the wayside.
Today's technology is changing at a rapid pace, the enterprise perimiter is eroding and securing endpoints is not becoming any easier as computing is becoming ubiquitous; becoming embedded in our vehicles and consumer devices, in an increasingly interconnected worldwide web. In order to trust endpoints, transactions and secure information appropriately, technical solutions and standards are necessary but not sufficient themselves to solve the problems we face.
The key to securing new technologies is collecting more and better quantatative data about the threat landscape associated with the technology, as well as device, configuration, event and transaction information. Knowledge comes from the judicious use of this information, given that the answers we get are only as good as the questions we ask. This means taking huge data sets and reducing them to something that is manageable, while maintaining the integrity of the data. Data sharing between peers and in public and private partnerships will help to standardize how we collect and use this data and lead to better threat intelligence and risk management. With a methodical approach to model and use this data, security risk will no longer exist in its own silo, but become a part of the overall evaluation of business risk as meaningful security metrics mature in the coming years.
Change is inevitable and resistance is futile. If we fail to embrace new technologies, we are likely to watch our competitors pass us by. Knowledge is the key to understanding and providing creative ways to manage security risk in the face of uncertainty, and necessary to combat the fear that accompanies new and potentially transformative technologies.
Tuesday, June 14, 2011
Panel Accepted for Black Hat
I'm excited that our panel on software vulnerabilities has been selected for Black Hat 2011, so I will be attending the executive forum and briefings, and staying around for Def Con on the weekend. It will be a long week, but should be exciting. The briefings are listed on the Black Hat website, and they all look great!
Saturday, May 14, 2011
An Interview on Goals
I recently discussed my ambitions and career goals, and wanted to share some of that discussion here. It gives a little insight as to my interests and the sort of decisions I face as I try to get more involved as a professional and volunteer.
Q: Where do you feel you are in your career, today?
A: I am currently a technical program manager in computer security, for a Fortune 100 multi-national company. I am mainly responsible for vulnerability management and strong authentication. So, I am dealing with vulnerability assessments and pen testing and network security, endpoint security, remote access security and architecting solutions to enable the business in a secure way. This can be quite challenging at times, but it is rewarding. I manage many complex, global projects, but am still an individual contributor, and I don't see my role changing anytime soon. I feel my skills have improved, and my knowledge of security and the business, but I was hired with this job title and pay grade and don't see any chance of that changing.
This is typical of the security function, in industry. I'm not complaining. I am glad I can add value and feel I am being successful at what I do. I just wonder if this is what I am best suited for.
Q: So are you looking to change jobs?
A: I don't think so. I do feel I need to challenge myself, in some way, and I do that by teaching and volunteering, as well as working hard at my day job. I'm a strong believer in lifelong learning, and finding a way to contribute to one's profession and society at large. It would be too easy to give in to my lazy side, and just do what comes easy and coast. I don't feel I'd be satisfied with that choice.
I want to keep my skills sharp, and in my present job I often need to push myself to do that. I could easily get comfortable and go on autopilot where I am, and stay in a silo, and do my job adequately and bide my time until I retire. That's very doable, and it would give me a relaxed lifestyle for sure, but I think it's important to grow as a professional and as an individual.
I've been fortunate to be able to do what I've been doing for the past 12 years. I work for a great company; an ethical company that is a leader at what they do. They are well respected, and right up there with Mom and Apple Pie. They have been very supportive and I've really come to understand how a security organization functions at a Fortune 100 company. I think I've come a long way, from when I came here in 1999 with only university and government experience. It's been a privilege. I've been afforded opportunities to travel to other countries and to see all aspects of a company that's been involved in manufacturing, sales, insurance, healthcare, banking and quite a number of acquisitions and divestitures over the years.
My management seems to appreciate the value of my volunteering and serving on boards and participating in councils and peer groups. I learn a lot from networking and having discussions with peers in CISO groups, and doing all this, but it isn't required for my present job. I do it because I want to maintain currency, and to push my boundaries, and I really aspire to contribute as a thought leader in the security space. It is nice that my colleagues allow me to join in these discussions, even though I am an individual contributor in my present job.
Q: How else do you keep up with trends and changes in the security profession?
A: I try to stay up with technical advances by reading and talking to my peers, and other subject matter experts. I am past the point where I can spend much time deep-diving, and I need to deal with a broad range of issues, so I rely heavily on others for the technical stuff. I also participate in advisory councils and boards and I speak and blog on topics, when I have the time. I'd like to speak more, and write more, but in the commercial sector there isn't much opportunity or support for doing research, so I don't have much that people want to hear about. I am usually left with topics on corporate governance. I've gotten excited about security metrics, this year, and hope to speak more on that topic.
I used to work as a scientist, and I used to speak and write articles all the time, so I do miss that, but I compensate by developing courses in computer security and teaching. I find that is a great outlet for my inquisitive side.
Q: Would you like to be a security researcher?
A: I don't have a real interest in that. I wouldn't turn down an opportunity to direct research, if someone came to me with something exciting, but frankly there are younger and better people to do this. People much smarter than me. I'd actually like to be spending less of my time in the trenches and more time focusing on security strategy.
Q: Are you satisfied working in IT, when you used to be a scientist?
A: I don't consider myself to be an IT worker. I consider myself to be a scientist, an educator and a security professional. I think it's limiting to categorize people. There is a lot of similarity between the mindset of the scientist, who is trying to develop models of how nature works, and then see if those assumptions hold, and the mindset of the security professional, who makes assumptions about risk and then looks for ways to test those assumptions. My background as a scientist makes me well suited to develop logical models and to assess and address risk.
In addition, I feel that my background as a scientist, and my teaching, and the work I do as a volunteer with students promoting STEM education, and my work with the FBI, IEEE and other groups exposes me to many different viewpoints and I think that's important. It gives me a broader view of things, and helps me to consider problems from different perspectives.
Q: What's next for you, in your career?
A: If I stay on this course, I expect I will try to find more opportunities to travel and speak, and perhaps take on some more course development or try my hand at writing - I am just not sure how relevant my experience is to the broader security community. I think I'd be satisfied, but I would probably focus more of my energy into volunteer work and teaching, and maybe take on a more technical role with IEEE and my critical infrastructure protection work. There are certainly benefits to a less responsible day job, and a more laid back lifestyle. It is hard to imagine myself sitting in the same chair, in the same cubical, for another 15 years though, just waiting to retire.
Q: If you could choose any job, what would it be?
A: If I had my dream job, I suppose it would be one that's exciting and challenges me to always be learning and pushing my boundaries. I'd feel valued and appreciated and feel the same kind of enthusiasm every day as I go to work, that I feel when I am at a security conference, for example. I'd like to be a leader; a decision maker, doing something integral to the mission of the business, rather than seen as just another technical resource.
I'd like to be in a location that was outwardly motivating, and working with lots of people much smarter than me, so I can make informed decisions and maintain a level of excellence in whatever I'm doing. I'd like to have frequent opportunities to converse with thought leaders and innovators. Maybe it would be in a college town, where I'd be able to attend seminars and on the latest technologies and research. I think there are many more opportunities for a security professional on the coasts, because that's where the thought leaders are, and where you can interact in person with more of your peers. I am always getting invited to events, but being in the Midwest, not much goes on in our community. That's actually why I got involved with IEEE and became president of our local engineering and science council, so I could try to promote more activities like that, locally.
Q: Tell me more about why you feel that sort of interaction is important.
A: I think it is important to hear from thought leaders in the security field, as well as academia and business entrepreneurs and policy makers. Too often people keep to one group, and don't pay attention to the others. Like I said before, I don't think we can thrive in a vacuum. I think when we expand our thinking, when we hear different perspectives and are exposed to diversity, it can be transformative.
A: I am currently a technical program manager in computer security, for a Fortune 100 multi-national company. I am mainly responsible for vulnerability management and strong authentication. So, I am dealing with vulnerability assessments and pen testing and network security, endpoint security, remote access security and architecting solutions to enable the business in a secure way. This can be quite challenging at times, but it is rewarding. I manage many complex, global projects, but am still an individual contributor, and I don't see my role changing anytime soon. I feel my skills have improved, and my knowledge of security and the business, but I was hired with this job title and pay grade and don't see any chance of that changing.
This is typical of the security function, in industry. I'm not complaining. I am glad I can add value and feel I am being successful at what I do. I just wonder if this is what I am best suited for.
Q: So are you looking to change jobs?
A: I don't think so. I do feel I need to challenge myself, in some way, and I do that by teaching and volunteering, as well as working hard at my day job. I'm a strong believer in lifelong learning, and finding a way to contribute to one's profession and society at large. It would be too easy to give in to my lazy side, and just do what comes easy and coast. I don't feel I'd be satisfied with that choice.
I want to keep my skills sharp, and in my present job I often need to push myself to do that. I could easily get comfortable and go on autopilot where I am, and stay in a silo, and do my job adequately and bide my time until I retire. That's very doable, and it would give me a relaxed lifestyle for sure, but I think it's important to grow as a professional and as an individual.
I've been fortunate to be able to do what I've been doing for the past 12 years. I work for a great company; an ethical company that is a leader at what they do. They are well respected, and right up there with Mom and Apple Pie. They have been very supportive and I've really come to understand how a security organization functions at a Fortune 100 company. I think I've come a long way, from when I came here in 1999 with only university and government experience. It's been a privilege. I've been afforded opportunities to travel to other countries and to see all aspects of a company that's been involved in manufacturing, sales, insurance, healthcare, banking and quite a number of acquisitions and divestitures over the years.
My management seems to appreciate the value of my volunteering and serving on boards and participating in councils and peer groups. I learn a lot from networking and having discussions with peers in CISO groups, and doing all this, but it isn't required for my present job. I do it because I want to maintain currency, and to push my boundaries, and I really aspire to contribute as a thought leader in the security space. It is nice that my colleagues allow me to join in these discussions, even though I am an individual contributor in my present job.
Q: How else do you keep up with trends and changes in the security profession?
A: I try to stay up with technical advances by reading and talking to my peers, and other subject matter experts. I am past the point where I can spend much time deep-diving, and I need to deal with a broad range of issues, so I rely heavily on others for the technical stuff. I also participate in advisory councils and boards and I speak and blog on topics, when I have the time. I'd like to speak more, and write more, but in the commercial sector there isn't much opportunity or support for doing research, so I don't have much that people want to hear about. I am usually left with topics on corporate governance. I've gotten excited about security metrics, this year, and hope to speak more on that topic.
I used to work as a scientist, and I used to speak and write articles all the time, so I do miss that, but I compensate by developing courses in computer security and teaching. I find that is a great outlet for my inquisitive side.
Q: Would you like to be a security researcher?
A: I don't have a real interest in that. I wouldn't turn down an opportunity to direct research, if someone came to me with something exciting, but frankly there are younger and better people to do this. People much smarter than me. I'd actually like to be spending less of my time in the trenches and more time focusing on security strategy.
Q: Are you satisfied working in IT, when you used to be a scientist?
A: I don't consider myself to be an IT worker. I consider myself to be a scientist, an educator and a security professional. I think it's limiting to categorize people. There is a lot of similarity between the mindset of the scientist, who is trying to develop models of how nature works, and then see if those assumptions hold, and the mindset of the security professional, who makes assumptions about risk and then looks for ways to test those assumptions. My background as a scientist makes me well suited to develop logical models and to assess and address risk.
In addition, I feel that my background as a scientist, and my teaching, and the work I do as a volunteer with students promoting STEM education, and my work with the FBI, IEEE and other groups exposes me to many different viewpoints and I think that's important. It gives me a broader view of things, and helps me to consider problems from different perspectives.
Q: What's next for you, in your career?
A: If I stay on this course, I expect I will try to find more opportunities to travel and speak, and perhaps take on some more course development or try my hand at writing - I am just not sure how relevant my experience is to the broader security community. I think I'd be satisfied, but I would probably focus more of my energy into volunteer work and teaching, and maybe take on a more technical role with IEEE and my critical infrastructure protection work. There are certainly benefits to a less responsible day job, and a more laid back lifestyle. It is hard to imagine myself sitting in the same chair, in the same cubical, for another 15 years though, just waiting to retire.
Q: If you could choose any job, what would it be?
A: If I had my dream job, I suppose it would be one that's exciting and challenges me to always be learning and pushing my boundaries. I'd feel valued and appreciated and feel the same kind of enthusiasm every day as I go to work, that I feel when I am at a security conference, for example. I'd like to be a leader; a decision maker, doing something integral to the mission of the business, rather than seen as just another technical resource.
I'd like to be in a location that was outwardly motivating, and working with lots of people much smarter than me, so I can make informed decisions and maintain a level of excellence in whatever I'm doing. I'd like to have frequent opportunities to converse with thought leaders and innovators. Maybe it would be in a college town, where I'd be able to attend seminars and on the latest technologies and research. I think there are many more opportunities for a security professional on the coasts, because that's where the thought leaders are, and where you can interact in person with more of your peers. I am always getting invited to events, but being in the Midwest, not much goes on in our community. That's actually why I got involved with IEEE and became president of our local engineering and science council, so I could try to promote more activities like that, locally.
Q: Tell me more about why you feel that sort of interaction is important.
A: I think it is important to hear from thought leaders in the security field, as well as academia and business entrepreneurs and policy makers. Too often people keep to one group, and don't pay attention to the others. Like I said before, I don't think we can thrive in a vacuum. I think when we expand our thinking, when we hear different perspectives and are exposed to diversity, it can be transformative.
Wednesday, May 4, 2011
Cyber Security Strategies Summit: Security in a Digital World
Join us at the Cyber Security Strategies Summit the 10-12 of May 2011 at the Kellog Conference Center in Washington DC.
Education is the key to navigating the security landscape, whether you are managing new initiatives, implementing new programs or designing new technologies, being informed is the deciding factor in winning the cyber war.
The Cyber Security Strategies Summit will focus on education in a digital world of uncertainty.
Tailored to a wide spectrum of stakeholders, the Cyber Security Strategies Summit presents value to small business, enterprise and Government security officers across every vertical.
Topics being covered at the Cyber Security Strategies Summit will include:
- Risk management techniques.
- Information protection and privacy
- Employee compliance and standards
- Operation and security in the cloud
- Mobile evolution and impact
- Law enforcement and forensics
The event will offer the ideal environment for knowledge sharing and networking opportunities, while providing a stage for education.
ENTERPRISE: The enterprise security track is driven by industry case studies. Security experts from major companies will be presenting best practices in Cyber Security and Data Protection. Delegates that work in the private sector and would like to bring home new techniques and programs that are being implemented by other corporations should attend the enterprise track.
GOVERNMENT: Cyber security has become one of the most crucial issues facing the stability of our nation. Government agencies need to be equipped with the most up to date information available in the security environment. The Government track will discuss data protection, legislation, privacy and defending our nation against internal, international and terrorist threats.
MOBILE: The influx of smartphones is not just a convenient advancement in our daily lives; it is paradigm shift in our corporate and government security initiatives. The Mobile revolution is in full swing and integration is imperative. The mobile track will address delegates in both enterprise and government, with educational presentations of strategies and risks that will enable your organization to securely adapt to the changing tide.
CLOUD: The risks vs rewards of cloud computing is an imperative conversation to have, and at the center of it all is security. Is the cloud secure? Should we trust it? And how do we make the move safely? The hot button subject will be thoroughly addressed, with discussions that prove to be pertinent for both enterprise and government security officers.
- Darin Andersen (Event Chair) - Chief Operating Officer at ESET
- Ron Baklarz - Chief Information Security Officer at Amtrak
- Patricia Titus - VP and Global Chief Information Security Officer at Unisys
- Jim Christy - Special Agent, Director of Future Exploration at the Department of Defense Cyber Crime Center
- Bob Samson - Director of Information Protection and Privacy at Marriott
- Patrick Howard - Chief Information Security Officer at the Nuclear Regulatory Commission
- Stacy Arruda - Supervisory Special Agent at the FBI Cyber Crime Unit
- Wade Baker - Director of Risk Intelligence at Verizon Business
- John Johnson - Security Program Manager at John Deere
- Rick Harris - -Chief of Future Operations US-CERT, National Cyber Security Division at DHS
- Richard H.L. Marshall - Director of Global Cyber Security Management National Cyber Security Division at DHS
- Sol Bermann - Lead Privacy Policy Development, Business Continuity, User Advocacy at the University of Michigan
- Eric S. Green - President of ELG Consulting
Adam Meyers - Director of Cyber Security Intelligence at SRA International
Jay Leek - VP of International Security at Equifax
Subscribe to:
Posts (Atom)
