Subscribe to the RSS Feeds
News From Around the World
Wednesday
Nov162011

Key Performance Indicators (KPI)

AuthorJustin Somaini | DateWednesday, November 16, 2011 at 12:00PM |

One of the conversations that I've had with many people is around metrics and KPI's.  I'm a strong believer that we have not gotten to actual KPI's in industry.  To take it a step further, most of us feel that our metrics are pretty bad (See S3 results).  Last week I sat down to put the final touches on our new risk methodology document and came up with some ideas that I'm not batting around.  Nothing earth shattering but I can finally see the last pieces of the puzzle fall into place.

If you remember, I posted a while ago about the equilibrium theory as well as flow management.  Part of the equilibrium is to gather data from leaders in the company to get to an approximation on how much loss they are willing to accept.  Not to be confused with ALE.  To do this, I decided to gather 20'ish questions that focus on the risk categories (Value, Brand and Operations) to put risk into context.  What came out was very interesting.

Not only was I able to gather an understanding on what is acceptable to govern the level of controls we implement, but I also got a metric.  I now have the ability to establish the acceptable level of security performance for the company from the business.  i.e. $2M is allowed in remediation costs, 2 public breaches, etc.  If done right I should have 3-5 metrics for all of Security.

More to come on this later.

Comment4 Comments | | | Print ArticlePrint Article
in
Monday
Nov142011

Reviews, Again?!?

AuthorJustin Somaini | DateMonday, November 14, 2011 at 12:00PM |

It's beginning to be that time of year and had to send along this infographic that WorkSimple put together.  Not sure if I agree with their conclusion but interesting enough.

 

CommentPost a Comment | | | Print ArticlePrint Article
in
Thursday
Nov102011

Invited to London but worked instead

AuthorJustin Somaini | DateThursday, November 10, 2011 at 12:00PM |

I was recently invited to go to London's Conference on Cyberspace but couldn't go due to work conflicts.  In reading about it I really am kicking myself.  Not only are there people that I haven't seen in a long time, it seems the only time I see them is in a public policy conversation, but I'm really in the mood for November London weather.  Besides that, it looks like it was a great event.  I'm a big believer in the public policy conversation in driving a more consistent security practice around the globe.  As the threat landscape heats up in governments, it's important to have the conversation with people that have lived in it.

Thought I would post it so everyone can take a look.

CommentPost a Comment | | | Print ArticlePrint Article
in
Wednesday
Nov092011

OMG! Governments are Spying!  

AuthorJustin Somaini | DateWednesday, November 9, 2011 at 12:00PM |

There has been a lot of media about the recent report to Congress on Foreign Economic Collection and Industrial Espionage.  It states that there is a huge level of espionage being done by foreign governments on corporations in the U.S. for intellectual property.  There are a couple of things that bother me about this. 

  • Spying and/or industrial espionage is nothing new.  It' been going on for hundreds of years and the introduction of the Internet hasn't changed anything other than the ease in which it can occur.
  • These electronic attacks have been going on for over 10 years and now we see a report?  Those of us who actually practice security have been dealing with it for a long time and trying to combat the issue in a mature and risk mitigation based manner.
  • The report focuses on key areas of data such as defense, energy and others.  It should be scoped as such in the beginning to not be inflamitory as it is. 
  • The recommendations at the end of the report should be a lot better.  If they really wanted to drive solutioning to the problem it would have really suggested using an industry mature framework (COBIT / ISO) to do it.  This only highlights how far behind they are in understanding the problem.

As I've written before, the problem isn't knowing attribution, threat vectors or anything else.  It has everything to do with getting corporate behavior to agree that this is a problem for it.  That doesn't mean that all companies will agree that this is a concern and nor should they.  It's the discussion that's important for practitioners to drive and have a healthy dialogue about it.

Yet, this report goes for the fear sell instead of actual data and diagnosis.  This is the same for certain vendors in their "Marketing Reports".  All fear with no data to substantiate it and no solutioning to solve it.  In addition, the media picks up on "China does most of the attacks" and reprints because it's catchy.  Congrats ONCIX on getting media attention, however, you're ruining all of our chances in fixing it.

Comment1 Comment | | | Print ArticlePrint Article
in ,
Tuesday
Nov082011

FBI is now Spoofing Cell Towers

AuthorJustin Somaini | DateTuesday, November 8, 2011 at 1:14PM |

I usually don't read a lot of attack threads but this one is interesting.  It appears the FBI is now in the business of spoofing cell towers in order to track and log users.  Kim Zetter reported about this in Wired's "Threat Level".  To be honest I'm a bit shocked and nervous that this is being done.  Not only will it capture the individual in question but everyone else in the area that gets bumped to it.  In addition, the FBI doesn't feel they should need a warrant in order to do it.  That's the problem.  Where monitoring activities like this are needed to catch the "bad guys", they should always be done with appropriate oversite and justification.  Without a warrant it leaves it open to abuse.

Evidently, UK has been doing this for a while as well as the Guardian reports.

Comment1 Comment | | | Print ArticlePrint Article
in ,
Page 1 2 3 4 5 ... 14 Next 5 Entries »