Our Security Practices class in Charlotte starts Thursday afternoon. This day and a half event will kick your butt on security and provide you with the security blueprint you need to plan 2012. Don’t miss this high impact high energy event. Only 3 spots remain.
Archive Page 3
29
Sep
11
Security Practices Class
27
Sep
11
When to Outsource
So when is a good time to outsource a function of IT? I think anyone who has received a call from a Managed Services Company has asked that question of themselves. Some companies absolutely refuse to outsource any function of IT. Others I have seen maybe outsource too much.
Like anything I don’t think there is a clear cut answer. It will depend on the talents of your staff. If your staff is really good at break fix work then higher end functions like firewall management and security should be outsourced. Conversely if your staff is more skilled in the higher end functions than please get the break fix work off their plate. It is unwise to try and do all the work in-house if your staff doesn’t possess the appropriate skills.
Please do not take this as a criticism of anyone’s skills or knowledge level. God knows I am not the one to do a lot of jobs in this world no matter how much I want to. Knowing the limits of your IT team is how you can lead them to what they really want to do. People naturally gravitate towards their skill set anyway. It is the job of the leader to keep the on that path. And outsourcing certain functions of your department is the only way to lead the organization down the correct path.
26
Sep
11
My Switch from BlackBerry
I have recently switched from a BlackBerry to an Android phone. Since I have been with BlackBerry for 7 years I thought maybe it was time to see what all the buzz was about. So here is my secure review summary.
While I do see the appeal of having apps on the phones and the accessibility of information. I have to say the security is atrocious. Simple settings to protect the phone are just not there. I can easily hack around all of the security and extract information. Also it seems so much more complex with Google wanting to force you into their world like wanting you to create a Gmail account. One example is an employee of ours setup his Gmail account in seconds. While these features are beneficial to some I really don’t see the appeal in business.
If your company has mobile security concerns stay tuned to this BLOG for an upcoming event as part of the security blueprint series.
23
Sep
11
Security Blueprint
Anyone who as ever started a large scale project realizes the planning can be daunting. But that doesn’t have to be the case with security. If you have ever wanted to change your organization to be more security focused you need to first start with the basics, the blueprint.
We are busy with writing and speaking engagements helping companies get their security blueprint started. It isn’t difficult, you just need to know where to start.
We are conducting our first webinar in this series on Wednesday September 28, 2011 titled The Benefits of Penetration Testing. Join me to help you start down the right road. Registration is required to attend.
Register @ http://goo.gl/cWvOv
19
Sep
11
End User Education
Another common mistake I see made in IT is they assume what settings or policies are doing makes sense to the end users. This is absolutely not the case. IT people should never assume their communication makes sense. Any more then when a Doctor explains what test they are doing. Most people would have follow up questions.
If your IT department has ever tried to roll out a security initiative or change a process and had to roll it back it probably wasn’t the process itself that failed but rather the process to roll it out.
Taking time to explain the Why of the process change and the How is the only way to get to the Success of any project.
12
Sep
11
Do you Stop When it Works?
When do you stop working on a task, when the thing you are working on works? That is true for most things in life, when the garbage disposal is fixed why keep working on it.
Unfortunately in security that technique doesn’t carry over. IT people often stop working on something when what they are installing works. When the firewall works, they move on. When the system is installed they move on. This is a flawed approach.
In security you have to test mostly for something not working. By that I mean we need to make sure the bad guys can’t get in. If we stop when it works then maybe we opened too much access. Maybe we left a trail of holes in order to get the system installed.
Security practice starts with a simple principle, what is the minimum I need to do.
Simply purchasing a security product does nothing to benefit the company. Properly deploying and configuring this is the only way any benefits are realized. Do not discount getting the right people to do the deployment. Without them you will waste money.
02
Sep
11
Hubris and Security
Let’s say you have two groups of people that are involved with your company. The first group is dedicated to your products religiously. So dedicated in fact you barely need to market them. These customers, or fans, wait for you to come out with what’s next. Almost like mind numbed robots they wait for you to tell them what they need. They may even line up around the corners on the day your new product is released. And when they finally get their hands on it they can’t say a bad word.
As a company this is a great position to be in, correct? I mean who wouldn’t want that. I know I would as a business owner.
Then let’s say there is this second group of people. They don’t talk publically. They use homemade products the first group has never heard of. They are extremely intelligent but don’t feel the need to show off. They just quietly work behind the scenes trying to find holes and risks in your company’s products.
The problem with this is your company will be so focused on making their fans happy you will fail to focus on the risks associated with what your company is producing. As a result of this the risks to your users will actually increase.
Once upon a time your products may have been more secure, more solid. But in order to increase your brands popularity you had to remove some of those safety nets. Maybe changed a few core values.
What also will add to your problem is the raving fans are so loyal they will refuse to be critical of your products, but only at first. Eventually if you don’t address what the second group is doing, at risk of upsetting the first group, there won’t be any groups worrying about you anymore. Because your circle of influence will slowly get smaller until another competitor slowly sneaks up on you and next thing you know you are figuring out what happened.
The worst character trait for a company to have is hubris. Several companies today are demonstrating this characteristic today. That lasts for a while until you develop a new trait, humility. Several more have this trait.
01
Sep
11
Communicating the Why
I am in the process of preparing for a company meeting. I am not big on formal meetings so it is rare when I call one. The purpose of this one is to communicate what our company is doing and where we are going.
I think with many companies people are so involved in their part of the business they never see the bigger picture and what the purpose of their part of the business is. They are so busy rowing the boat they never stop to ask, hey where are we going?
The same is true in most companies when it comes to security. Companies never communicate to their teams why these controls are put into place. And what is the result? Less security than before the control was put into place. Why? Because if people don’t understand the why, see where the ship is headed then they don’t ever buy into it. They are never fully on board. Therefore, they fight the security measures that are put into place. They tape encryption keys to laptops and leave the password device on the desk.
Additionally valuable work time is wasted as employees complain to each other they can’t access Facebook and Twitter. If the company would just stop and educate the employees on the why and not just the what I believe this would lead to a fundamental shift in how employees react to security measures. They not only would participate in the measures they would self police and make sure all the co-workers around them were participating as well.
23
Aug
11
WatchGuard Partner Conference
I recently attended the annual WatchGuard Partner conference in Cabo San Lucas, Mexico. It was a great time and very educational. On the last day a few of us snuck out to go bungee jumping at Wild Canyon. Here is the video from the side of me jumping.
