Risk Management

SecuRisk Solutions today announced the release of their new podcast series entitled SharkTalk™ wherein cutting edge information security topics and issues are discussed with renowned authors, speakers, technologists, executives, contributors and pragmatists in the information security arena.

You can subscribe to these podcasts via iTunes or RSS.

For more information, please visit - Shark Talk with Mano Paul

Many major news carriers found it important to carry the news today that “Obama orders a 60-day cybersecurity review”. Some stated that “Cybersecurity is now one of the major national security problems facing the United States”, while in reality, it is actually a major INTERNATIONAL security problem facing the ENTIRE GLOBE (not just the United States). Other references were made to th need for the White House to

1. initiate a drive to develop next-generation secure computers and networking for national security applications; 
2. establish tough new standards for cyber security and physical resilience; 
3. battle corporate cyber espionage and 
4. target criminal activity on the Internet.

All of these are absolutely important and critical issues that cannot be ignored, but one major issue missing in these is the PEOPLE component of cybersecurity. As my whitepapers have repeatedly eluded to, People are the FIRST line of DEFENSE; technical security controls are rendered futile by people who are not aware of how to protect their own computing ecosystem.

I was  privileged to be in the audience of the Commission on Cybersecurity for the 44th Presidency on the day  (December 29), their report was released for public viewing, where the panelists - Rep. Jim Langevin (D. R.I), Rep. Michael McCaul (R. TX), Lt. General Harry D. Raduege Jr. USAF, retd.) Deloitte & Touche and Marcus Sachs, Verizon Comunications participated.

Highlights from the panel I captured are given below.

1. Cybersecurity is today’s greatest security threat.
2. There is a need for increased awareness among the American people.
3. Threats are real today in the virtual world.
4. Espionage and Digital Pearl Harbor is very likely.
5. Cyberspace is an national asset and needs apropriate protection not just for national security but also for economic security without compromise on privacy and civil liberties.
6. There is a need for buy-in from the International community as well as cyberspace does not end at the waters edge.
7. Partnerships with the private sector as well is extemely important and has been proven to be useful in past situations.
8. There is a need for a cyber mindset - safe and protected use of the cyberspace.
9. There is a need for education and awareness - across the nation and internationally.

“It is Imperative as a nation that cybersecurity is taken into account seriously for the liveability of the nation. If not we have failed as a nation.” 

From the press release it seems to be like President Obama is taken cybersecurity into account seriously. Only time will tell of the liveability of this nation and the world. It’s about time that cybersecurity was in the forefront.

What do you think Shakespeare had to say about Software Security? What does an naked motorist have to do with Confidentiality? What does the Jungle Book character Baloo have to say about Security Essentials (The Bare Necessities of security)? What does the African Wildlife have to do with Security Concepts? What does pH have to do with Security? and more …

The Road Less Travelled by renowned poet, Robert Frost ends by with the statement “And that has made all the difference”. Come to find out the answers to the questions above and see what it takes to look at Security from a different perspective, that would make ALL the difference. The session will cover not only the higher level abstractions of security concepts, but will dive deep wherever applicable into concepts and code, making it a MUST attend for Development, QA, PM and Management Staff on both the IT and Business side.

At the Austin Open Web Application Security Project (OWASP) session on April 29th, 2008, I presented the following presentation that you can download by clicking on the link below.

Security Management (Managing Elephants)?	Sleep Swimming (Vigilant Software)

Software Security - The Road Less Traveled

The CSI 2007 conference held in Arlington, VA from Nov 3-9 2007 was a blast. In addition to the conference session being very educational, it was a great networking event affording one the opportunity to network with the brightest minds in the industry apropos security. You can access the conference posting here.

I presented on Application Risk Modeling as an integral part of the SDLC (System or Software Development Life Cycle) introducing the Tic-Tive^TM Risk Spectrum.

A preview of the presentation contents is given below.

Figure 1. The SecuRisk^TM Methodology of Application Risk Modeling

Figure 2. The Tic-Tive^TM Risk Spectrum. Where does your organization/company fall in this spectrum?

You can download the entire presentation by clicking on the link below.
Application Risk Modeling; An Integral Part of the SDLC - By Mano Paul

Session Abstract -
The methodology introduced in this session is designed to provide proactive risk analysis and modeling techniques for applications. It addresses obstacles experienced by security professionals due to lack of automation and objective risk modeling fundamentals. Attendees will understand how application risk management results in reducing overall risk within an enterprise and transferring risk to the appropriate business segment.

While attending the Computerworld 100 Premier IT Leaders conference in March, James Dallas, CIO and SVP of Medtronic Inc., in his keynote address expressed that as a CIO, he is interested in a Ham and Ham sandwich, not a Ham and Egg sandwich in which the chicken is only participating while the pig is taking all the risk.

Extrapolating the idea to risk management within organizations, if we are to liken ‘Ham’ to IT and the Business - what are some proven methodologies that information security professionals and leaders can do to “SHARE the RISK” with the businesses they support, so that the ‘Business’ is not just participating.

Additionally, are there additionally analogies that reflect a similar scenario?

What good is a parachute to a skydiver when it is not opened or fails to open? Likewise, what good are security tools/controls/processes to a company when it is not properly implemented or failed to be implemented properly?

Just purchasing more and more tools and establishing multiple security controls and processes without proper implementation may lead one to what one could call “placebo” security.

Implementing security properly would entail a thorough investigation of tools that would handle (mitigate/transfer/eliminate) risk, establishment of processes that would “enable” not “impede” the business(es) that you support, education of your personnel to want to do security because they WANT to, not because they HAVE to and a governance framework  to enforce policies, standards and procedures.

So, what are we talking about - What happens when a skydiver’s parachute is not opened or fails to open …