Check out this interesting 12 minute video where Lisa Phifer gives 5 common sense steps for approaching enterprise BYOD. I think she does a good job of giving advice on how to start down this road.
As she says, just banning personal devices won't work as we continue to accelerate down the consumerization of IT path that we all seem to be on. I think we will very quickly see consumers, and especially Millennials, who are quite able and desire to do all their work on mobile devices. Combine that with more enterprises moving to cloud services, and you see that traditional thinking won't serve us anymore. Between device-centric (MDM), network-centric (segmentation) and data-centric (sandboxed apps and VDI) approaches, there is something for everyone. You need to determine what works for your enterprise, and even if it isn't a perfect solution, take a Risk Management approach and start with the greatest risk.
Friday, March 15, 2013
Thursday, March 14, 2013
IQPC IT Security Exchange, March 10-12, 2013
I wanted to wrap up the IQPC IT Security Exchange that I attended this week in St. Pete, Florida. This was a good solid conference, covering trends and technologies. There were about three dozen security executives from all industries, and most of the talks were given by CISOs, regarding the topics that we are all concerned about: Big Data, BYOD, Cloud, CoIT, Breaches, Threat Intelligence... There were about 6-10 vendors sponsoring the event, and most of them were ones I had not been aware of. This is the kind of event where costs are kept low and you spend 2 days of discussing security with peers, over three days.I gave my talk, Big Data: Big Brother or Big Deal? on Sunday. Find links below to the presentation.
SlideShare presentation: http://www.slideshare.net/nullsession/bigdata031013b
You can also download the presentation as (PDF) or with notes (PDF).
Here are some of the interesting topics that I found useful:
- Communicating Risk to the Board
- Risk Management
- Security Awareness (and metrics!)
- BYOD and moving IT to the cloud
- Maturing the Security Program
Friday, February 22, 2013
Security Never Sleeps
I will be joining a panel over lunch this coming Wednesday, February 27th, at LuLu Restaurant in San Francisco for a Trainer Communications event, "Security Never Sleeps". Please consider joining us!
Enjoy lunch while listening to a panel discussion and Q&A with the CSO of Sallie Mae, CPO of McAfee, business technology reporter Scott McGrew from NBC-TV and analyst Derek Brink of Aberdeen Group. Learn how to make your messages resonate with each of these audiences, and learn what doesn’t work and what has changed.
Enjoy lunch while listening to a panel discussion and Q&A with the CSO of Sallie Mae, CPO of McAfee, business technology reporter Scott McGrew from NBC-TV and analyst Derek Brink of Aberdeen Group. Learn how to make your messages resonate with each of these audiences, and learn what doesn’t work and what has changed.
RSA Conference 2013: MBS-T19 BYOD: Here Today, Here to Stay?
Will you be attending RSA Conference 2013?
I will be on a mobility panel, discussing BYOD with experts in the field. You don't want to miss it! MBS-T19 - "BYOD: Here Today, Here to Stay?"
I will be on a mobility panel, discussing BYOD with experts in the field. You don't want to miss it! MBS-T19 - "BYOD: Here Today, Here to Stay?"
Professionalizing the Nation’s Cybersecurity Workforce: Criteria for Future Decision-Making
I will be on a panel for the National Acadamy of Sciences, discussing the topic of professionalizing the cybersecurity industry. We will be speaking at the Prescott Hotel, 545 Post Street at 2PM on Monday (2/25/13). Click here for more info!
RSA Conference 2013: GRC-W23: Managing Enterprise Risk: WHY U NO HAZ METRICS?
I just recorded a podcast for the RSA Conference on a panel I will moderate next week. I hope I did justice to the topic of our RSA panel next Wednesday! It will be MUCH better when Alex Hutton, David Mortman, Jack Jones and Caroline Wong are on stage explaining why risk management matters and how we can apply metrics to understand and reduce enterprise risk.
Please join us at 10:40 Wednesday in Moscone 133. Click here for more info.
Click to listen to my podcast!
Please join us at 10:40 Wednesday in Moscone 133. Click here for more info.
Click to listen to my podcast!
Tuesday, February 12, 2013
I'd never forget you, Internet...
I admit I have sinned. I haven't blogged much in the past year. Most of my social media interaction has been on Facebook and Twitter and even LinkedIn. Mea Culpa, mea culpa, mea maxima culpa!
I do have an excuse though! I've been doing penance in the form of writing five cybersecurity courses for Laureate/Walden University and Excelsior College. I am excited about the new cybersecurity program I've helped develop for Excelsior College. They reached out to me in 2011, after I met the associate dean at a conference in Washington, DC. Check out their course offerings, here.
I do have an excuse though! I've been doing penance in the form of writing five cybersecurity courses for Laureate/Walden University and Excelsior College. I am excited about the new cybersecurity program I've helped develop for Excelsior College. They reached out to me in 2011, after I met the associate dean at a conference in Washington, DC. Check out their course offerings, here.
The thing about Excelsior College is, when you write a course for them, they make you teach it! So, while I have pushed myself to write meaningful courses, I've also been teaching them. Despite the pain and agony of long nights and short deadlines, it's worth it in the end. I feel it's helped me improve my own security skills. If you have an opportunity to write courses, books, speak or teach, do it! It will be a lot of extra work, when you probably already have a full schedule, but in the end you will find it beneficial.
I'm a proponent of lifelong-learning, and personal/professional development, so as a recovering physicist, I really love the privilege of being allowed to teach physics and astronomy. It's been ten years since I started teaching astronomy (and ethics) at a local university, and I now teach intro astronomy every semester at local colleges. It's motivating and rewarding to be allowed to teach others about something you love.
This last year, my company asked me to represent them in the capacity of "industry representative", developing the Next Generation Science Standards. This is an organized effort by 48 leading states to develop K-12 science standards. This is another very rewarding opportunity, and it allows me to meet educators from across the country and learn about the issues they face as they teach our children.
So, don't hate me Internet. I haven't ignored you, I've just been busy. I promise to write more often in the future. Please don't give up on me. Be my Valentine! ;)
Thursday, March 8, 2012
Security Never Sleeps
We had a great turnout on Thursday for the Trainer Communications event: Security Never Sleeps... at Lulu Restaurant for lunch, across from the RSA Conference 2012. Thanks to everyone who attended!
Friday, February 24, 2012
RSA Conference 2012
This weekend the 2012 RSA Conference begins! I am looking forward to a busy week. Every day is essentially booked from 7am to midnight. I hope to see many of my friends at what has become an annual pilgrimage to San Francisco each spring to catch up on information security trends and technology.
For me, the focus will be on security metrics and risk management, because I've got a talk (Monday morning) and a panel (Wednesday morning), and a half-day seminar (Thursday afternoon) on these topics. It seems the big security issues for 2012 are: Cloud, Mobile, Social Media and Big Data.
I am on another CISO panel at noon Thursday, talking about these security trends. I have been thinking about Big Data for a while now. I find it a fascinating subject - maybe because of my science research background (in a previous life). From the consumer perspective, embedded systems and networked systems are all around us. Data is being collected on your spending habits, Google collects data and with social media, your life is increasingly in the public domain. Now, our cars, tractors and toasters are going to be networked nodes, sending data where you drive, what you plant and how dark you like your bagels back to corporations who will horde it and manipulate it and aggregate it. Security data is coming from standard network devices in the enterprise: the firewalls, routers, IDS... and it is merging with information gathered from badge readers and other "physical security" sources to build up a model of what is "normal" for you... a new biometric, "What You Do". All together, we are looking at mountains of data, and these data sets need to be pared down, while manintaining their integrity, manipulated and analyzed in an ethical and confidential way. This is cool stuff, Maynard!
See you in San Francisco!
Endpoint Security
I recently gave a presentation at the Next Generation Security Summit in Atlanta, GA, on the topic of endpoint protection. I took the approach that endpoints are more than just desktop PCs these days. There is probably some debate on just what defines an endpoint.
Traditionally, the endpoint was the user workstation. Remember back in the early 1990s, when we started giving end users their own computers on their desks, to replace dumb terminals. I think the term “endpoint protection” actually evolved from the model of protecting computers with antivirus, delivered and updated by floppy disks.
We started to see threats increase ten years ago, when more employees started taking laptops home and connecting them to the Internet, and when we switched from dial-up modems to high-bandwidth VPN connections to our wide-open internal corporate networks.
Today, the risk is even greater, and the endpoints are more varied. I don’t think we can just think of Endpoint Security as a desktop security suite. We need to look at all resources that are used for data processing and storage, and we need to move our concern from one use case, to a broader definition that addresses security more holistically.
It is certainly good to be concerned about hardening desktops, but we operate in a more diverse environment, with an enterprise that extends into the cloud, with many different business access needs to address. Therefore, risk is coming at us from all directions and we need to look more holistically at risk management by better protecting the endpoints where our data resides, and one threat to mitigate is going to be the way the data is accessed. We need to do more than just put AV on our computers and call that endpoint protection. We need to focus our resources on the things that are most precious to the business. We do that first by understanding business need. Endpoint protection is a means to an end. We ultimately want to protect intellectual
property, sensitive data and PII, and protect the brand.
I tried to get across the point that endpoint protection needs to be a combination of things, emphasizing the efficacy of layers and security in depth that is more targeted and focused on what is important to protect. This is a work in progress, but I hope you find my slide deck interesting and perhaps even useful in thinking about the problem.
Subscribe to:
Posts (Atom)