Boston bombing: "Connect the dots!!!" Post PRISM: "Eek, dots are being connected??"Credit to Senator Russell Long for the original "Don't tax me, Don't tax thee..." line.
On Tuesday I spoke on a panel called "Automating the Critical Security Controls" at the Gartner Security Conference in Washington DC. After 14 years of being on the Gartner analyst side of that conference, it was nice to be an attendee - though I did miss the 1-1 sessions I would do all week with attendees.
The panel was moderated by Wolfgang Kandek, CTO of Qualys, and in addition to me had Larry Wilson, CISO of the University of Massachusetts and Jonathan Trull, CISO of the State of Colorado. I went through a bit of the data from the Critical Security Controls survey report I wrote, which will be introduced at a webinar on June 25th. I also went through "avoidance cost vs. incident cost" analysis for the Idaho State University PHI security issue that I published...
PRISM leaker, like Wikileaks, shows talk is cheap, information protection is hard.
I've just finished up analyzing the data from our survey of 700 respondents on the Critical Security Controls (results to be presented at a webcast on 25 June, details here) and I've seen some clear trends:
- There is a very high level of awareness of the Critical Security Controls - 35% of CEOs and 55% of CIOS.
- Reducing the risk of attacks is clearly perceived as the major benefit, with reconciling multiple compliance regimes next.
- While there is strong feeling that implementing the Critical Controls provided those risk reduction benefits, there is a clear lack of metrics and dashboards quantifying the gain and displaying status.
That's a perennial problem in security, so I'm always on the lookout for good examples.
"Patient: Doctor, Doctor - it hurts when I do this."
"Doctor: Don't do that."
Last year I massively tore my rotator cuff, after years of injury-free lacrosse, kayaking, weight-lifting, etc. In early April of this year I had surgery, and I've been wearing a sling for the past two months. Even worse, for the first few weeks I had to wear an immobilizer, which is basically the sling from hell - a Velcro contraption that locked my arm into the Napoleonic position.
When I was in that damn immobilizer, I asked the surgeon "How could I have avoided tearing the rotator cuff?" and he said "Well, if you had been wearing this immobilizer all your life, your rotator cuff...