When I asked many of you, my peers in IT, if it would be helpful to have a playbook for security management like those used by the best quarterbacks or midfielders or point guards (pick your sport!), many of you said yes right away, but then asked what it would look like.
“You mean like the SANS Top 20?” one might ask.
“You mean like OWASP?” another would say.
As downright useful as both of those sets of recommendations are, that’s not what I meant. I’m thinking more along the lines of a guide for security executives, security directors. A management guide.
“Oh, you mean like Peter Drucker’s The Practice of Management, or Steven Covey’s 7 Habits of Highly Effective People.”
That’s warmer. Both of those books help to build necessary management skills. It was then that I realized that there really isn’t a business handbook for security managers.
Therefore, I’ve started to put one together based on my interdisciplinary security management course that I’ve taught for some years at DePaul University. I call it The Security Manager’s Playbook: A Leader’s Guide to Optimizing Cyber Security for any Business
Click here to download an abridged version for Free. Yes, I want the free eBook
Recently I was asked to describe the services of Hunt Business Intelligence. I said, “It’s like picking up the bat phone and getting expert help for any security question or challenge.”
That’s a good image, and one our customers still use to describe us to their peers. However, a more formal way of describing it is like this:
Since 2005, Hunt Business Intelligence has been helping leaders to optimize security. We serve the entire ecosystem of security—end users, vendors, and investors.
- Enterprise Leaders, such as CIOs, COOs and heads of security (CISO, CSO) and large and mid-sized enterprises
- Product Managers
- Venture Investors
In short, you have Steve Hunt and his team of seasoned security experts available for you to address any challenge by phone or email or in person.
- Need outside experts to assess your security program and provide you with a formal analysis? Our Security Success Score™ measures your company’s Security Maturity.
- Got a big meeting or product release coming up? Let Steve Hunt and his Hunt Business Intelligence team ensure that you are fully prepared.
- Wrestling with a tedious security problem? We have practical, actionable advice.
- Dealing with office politics? Our advisers have seen it all before and will help you shine as a leader.
- Want a one-day workshop to accelerate your security program? Our consultants are dynamic facilitators and will leave your entire team feeling enriched and empowered.
Advisory phone and email packages begin at just $1995. Visit our website or simply drop us a note at firstname.lastname@example.org in order to get started.
Join this list of satisfied customers Contact us today and get a Free eBook The Security Manager’s Playbook: A Leader’s Guide to Optimizing Cyber Security for any Business
Are you one of the lucky few NOT suffering from these six costly management problems?
To learn my Four Steps to Security Maturity, and to find out your organization’s Security Success Score™ click here.
During seventeen years at Hunt Business Intelligence and Forrester Research I’ve had the privilege of researching trends and best practices across the security industry. In-depth interviews with over 450 CIOs and security leaders show that the greatest weaknesses in security programs are not technological, nor are they skill- or personnel-related. The greatest shortcomings, affecting more than 9 out of 10 security programs, have to do simply with management, or what I like to call Security Maturity.
Here is where the success of security leaders consistently breaks down:
This week, the ISSA (ISSA.org) announced a free online tool available to all cyber security professionals. It is being offered as part of its partnership with the Alliance for Performance Excellence, which promotes Baldrige-based quality and performance frameworks. You may know Baldrige as the framework behind TQM, Six Sigma and other improvement systems.
I think this is a powerful tool and a great opportunity for all of us in technology and business to start building quality into our security programs, and to resist the temptation to be in a pertetual state of fire-fighting.
Andrea Hoy, President of ISSA, characterized the partnership this way in the ISSA press release.
The Alliance for Performance Excellence will help our members with principles and tools that can be used to build and test more resilient mature security operations. For over 30 years, Baldrige has been well recognized as the standard to reach in business for performance excellence, and I am honored that the Alliance for Performance Excellence has selected us as a partner.
The Alliance for Performance Excellence is supporting ISSA members–and the entire industry–by providing a free Baldrige-based self-assessment tool through its partner, ManageHub. This self-assessment, named the Security Success Score™, allows anyone to assess the performance of security operations in light of NIST-based and Baldrige-based frameworks. The Security Success Score™ is suitable for any sized organization, with special emphasis on small and mid-sized organizations.
Click here to take the Free self-assessment
Read the full Press Release here
Are you finally ready to improve the maturity of your organization’s CyberSecurity program but not sure where to start? The NIST CyberSecurity Framework is an excellent path to success, but it will seem daunting at first.
My customers and my fellow ISSA members with the most mature security operations follow the NIST framework, and many more are jumping on board every day.
After all, CyberSecurity only succeeds when combined with CyberMaturity. What’s CyberMaturity? It refers to running security like a well-run business. Applying business best-practices yields true resilience and cost effectiveness in a security program. Unfortunately, measuring actual progress with a standardized maturity scoring has been impossible.
Now, the folks behind NIST’s world famous performance excellence program have partnered with the ISSA and ManageHub to provide a free assessment of your organization’s CyberMaturity. Get your completely free and anonymous Security Success Score here.
When you are ready to accelerate your progress, then use this new service: CyberMaturity-as-a-Service.
Simply sign up, then log in to the online workspaces of ManageHubSecurity.com. Begin following the preloaded processes of the NIST Cybersecurity Framework and watch your security operations begin measurably improving right away.
You’ll be assigned a personal online coach for a small monthly fee who will periodically check your work and give you guidance along the way.
Now, small and mid-sized organizations can have the same (or better) maturity as the large, rich enterprises. It’s easy, and you do not need expensive consultants or technology.
Start today! Send me a LinkedIn note to learn more, or visit http://www.managehubsecurity.com
I don’t read every press release that comes down the wire. But when I see one from a cyber security company called Secret Double Octopus–no lie–I take notice.
“Secret Double Octopus. This has gotta be good,” I thought to myself.
The real thrust of the press release is this. Encryption is strong, but the infrastructure supporting it isn’t. Therefore secrets get leaked. However, by “shredding” the data and sending it through different routes, any network traffic that is intercepted is unusable.
That’s good, but there is more. There is another sexy idea in the announcement by Secret Double Octopus, and that is a world without keys. Keys are the cryptographic shorthand for the authentication technologies that lock and unlock secure communications across a network. Keys are the weakest link in the otherwise bulletproof encryption architectures we use today. So if we can eliminate keys and key infrastructure, we take away the biggest source of risk.
Secret Double Octopus claims to do just that using mathematical theory already several decades old and well-respected in the academic and cryptographic communities. In layman’s terms, this “new” technique is called “secret sharing.” The core of the solution is to starve the attacker of sufficient information for any meaningful computation. In geek speak, “you cannot solve an equation of two variables.”
Bottom line: even after capturing some or all of the data transmission, the attacker lacks the ability to solve for the variables.
Securing our most sensitive data, and eliminating troublesome keys is the mission of Secret Double Octopus.
The impact could be huge. Today banks know that their PKI (public key infrastructure) is not secure enough for their most sensitive transmissions. And the demands of the Internet of Things have already strained PKI to the breaking point. Secret Double Octopus (I love saying that!) comes to the rescue, potentially enabling billions of secure, keyless transactions between cars, trains, factory machines and toasters to the cloud and to private networks.
The coming months will be fun to watch as this new startup out of Israel demonstrates its capabilities and attempts to disrupt the security and networking worlds.
Famed security adviser, Steve Hunt explains, “Why I Hate Security.”
These criticisms of cybersecurity and risk management are nothing new. You’ve heard them all before, or muttered them under our breath. If you are a business executive, you’ve shaken your head when you’ve seen it. And if you are a security professional, you’re guilty of more than one.
- “I hate security.”
- Much of what passes as security is no more than window dressing, or, as Bruce Schneier has called it, Security Theater, with its posturing, phony controls and security guard bravado.
- Not a week goes by that a CIO or other executive hears a pitch from a security vendor, whose eyes are bugged out as their words ooze fear, uncertainty and doubt.
- Security directors, including some of the most esteemed CISOs, can be seen from time to time running the halls, arms flailing overhead, screeching “The sky is falling! The sky is falling!”
- Risk management experts talk for hours about the “fuzzy logic” of measuring impact and likelihood, using game theory, and generally talking until the audience goes numb.
- And when the big one happens, when the big data breach hits, as it inevitably does, security pros and business executives alike point fingers at budgets, and internal politics, and vendor missteps for blame.
So I am here to give you the straight dope. To address all of these complaints once and for all. To put the discussion to rest so we can all move on.
Security is all those things.
Security IS often mere theatrics.
Vendors DO commonly sell FUD in place of value.
Risk management experts DO often employ pseudo science “to definitively calculate” intangible and unknown risks.
CISOs DO sound like Chicken Little when they predict the things we simply aren’t prepared for and need more budget for.
And security pros DO like to find a scapegoat.
All of these things are true, and security deserves its criticism.
I personally, however, look at it differently. Security is something special to me. For example, when I see a CISO work his or her way out of a messy data breach by responding quickly, limiting impact, and recovering smoothly–it gives me a very satisfied feeling.
Moreover, when I think of my own career as a security professional, I think of the truly costly and damaging attacks that we’ve avoided by working hard to improve continuously.
In the early 1990s I worked at a financial institution in Chicago. We got hacked–before we even had the word “hacked.” The bulletin board server was fine yesterday, but today it isn’t, and the audit log is gone. As we scratched our heads an ol’ timer leaned over us and said, “Looks like you got a security problem with your computer.”
I was stunned. I had never considered security and computers in the same thought before. My father was a locksmith, and I had worked my way through college and grad school at the University of Chicago with my own locksmith company and building PC clones on the side. So when I heard those words, a light bulb went on. I thought to myself, I know security, and I know computers. Right then I began retooling for a career in computer and network security. Right place. Right time.
So security gave me an entree into the world of the fledgling Internet, and into the world of creating value for the business in ways I never could have imagined before that fateful day seated cross-legged on the floor, under a desk, staring blankly at the back of a bulletin board server.
Security also did much more than that. It solved real problems. From the script-kiddies of the ’90s to the state sponsored hacking of the 2000s, security gave hundreds of professionals an opportunity to fight in very foreign territory–guerrilla IT warfare. We created a new way of operating the Internet, and we opened doors permitting businesses to create value and revenue in new ways. For example, the security community put its collective head together limiting loss sufficiently to make online commerce (once called e-commerce) a reality.
Converged approaches to physical and cyber security for the decade beginning 2001 created an amazing new world of inter-networked security cameras, intrusion detection, gates, fences, locks, employee ID badges, laptops, personal devices, and home automation controls. Everything was suddenly networkable because the basic questions of authentication and authorization (who are you? and, what are you supposed to do?) were answered by security professionals.
Today, we are coming up with clever ways to extend the work we did previously and apply it to the Internet of Things. Soon, we will see alternatives to keys and locks being used widely in the secure networking of any and every common device at home or sensor on a locomotive. Homes will operate more efficiently and businesses will make countless billions in new revenue because of IoT. This is possible because the security industry truly is doing its best.
Does security have its foibles? Is it security theater laced with FUD, bad logic and blame? Yes. But does it create value that outweighs its sometime silliness? Yes it certainly does. For me personally, it has provided me many benefits and opportunities, making me a better philosopher of technology, a better technologist in general, a better citizen of the world, a better provider for my family.
So the next time you sit through another ridiculous vendor pitch about all the bad things that will happen if you don’t buy their product, use your phone to securely transfer funds at your bank, or buy a gift for your kid on Amazon, or plan the next product launch with confidence that the security pros have your back.