Your title really means nothing

I can't tell you how many times I've met people over the years who have a fancy title like CEO or Director of This and That and it ended up being more of a façade than anything. As John Maxwell talks about in this video, your title really means nothing.

I've often told people, I don't care what you call me as long as you pay me what I'm worth. That helps keep me on track to ensure I maximize my value to the marketplace.

Even labels after your name such as CISSP, CCIE, CTO and Esquire mean nothing in the grand scheme of things. Just because you've earned these letters doesn't mean you're suddenly an expert in the field or, for that matter, someone that people actually respect and enjoy working with. Instead it's the value you bring to the table. Work by this mantra and you'll reap rewards you never imagined.

Read More

Users making security decisions is your Achilles' heel

I recently came across some content in a book outlining the benefits of SSL. The author depicted a scenario where SSL is in place to help the user authenticate the server/site he's connecting to and if a certificate-related error popped up in the browser then the user would know that the site was malicious and (presumably) not continue on with the connection. This very situation is an example of how we assume/presume/hope that users are always paying attention and will do the right things with security.

What do you think would happen with the average user in this situation? I'm confident that most people would simply think nothing of it, click past any pop-up warnings and continue about their business. Why? Well, that's what people do. And that's the very problem with have with information security today.

No doubt, we have to be able to balance security with convenience and usability but the moment we allow users to make security decisions - especially ones that could involve phishing and related malware attacks - we open our networks up to complete compromise. This goes along with something I've been saying recently: Your network is only one click away from compromise™ [my new trademark ;-)].

Training, technology - you name it, nothing is 100% certain other than the fact that you have this risk in your business this very moment; guaranteed. I'm not convinced we're going to be able to get past this.

Read More

Keynoting the NKU 2011 Security Symposium next week

If you happen to be in the Cincinnati, OH area next Friday, October 28th, I'd love it if you could join me as I give the keynote presentation for the Northern Kentucky University 2011 Security Symposium. I'll be talking about mobile security problems and solutions and it looks like they've lined up tons of great content and speakers.

Hope to see you there!

Read More

Dan Wheldon's crash a harsh reminder

IndyCar lost a great driver yesterday. When I first heard of Dan Wheldon's crash and death I couldn't believe it. I'm a big IndyCar fan and felt like I knew him - especially with the commentary he has been providing on Versus' coverage of IndyCar this year.

Driving a race car myself - albeit at a *much* different level - I can't help but question the risks of what I do. Seeing these types of incidents rattles me to the core. It's certainly easy to say: Well, Dan knew the risks every time he got into his car...maybe, but it doesn't make it any better nor will it bring back the driver, husband and father we lost yesterday.

I'm letting this incident serve as a reminder of just how fragile life can be and how important it is to spend quantity time with the ones I love. Something most of us probably need to work on.

Rest in peace Dan and God bless you and your family.

Read More

What can you really say about your network?

Here's a new guest blog post I wrote for AlgoSec (a Roswell, Georgia-based company with some really solid firewall management applications) where I talk about something near and dear to all of us in IT:

Do you really understand your network?

...it's more than just a sappy relationship. :-)

By the way, in case you missed it, I wrote a whitepaper for AlgoSec recently that you may be interested in as well:

Firewall Management: 5 Challenges Every Company Must Address

Enjoy.

Read More

My latest bits on Windows 7, Microsoft SCM and Metasploit

Here are some new pieces I've written for my friends at TechTarget on Windows security that you may be interested in including bits on the often overlooked but oh so valuable Security Compliance Manager and Metasploit:

Using Windows 7 management tools to your advantage

Getting to know Security Compliance Manager

Why aren’t you using Metasploit to expose Windows vulnerabilities?

You know the deal, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Join me at the CDW - TechTarget seminar in Phoenix next week

If you happen to be in or around Phoenix, AZ next Thursday October 13th, I'd love it if you could join me at the TechTarget / CDW seminar: Predictive Security: Plan Ahead to Stay Ahead of the Next Threat.

I'll be giving the keynote and combined breakout session in addition to the sessions provided by other vendor experts. We'll close out with a lively Q&A that I know you'll enjoy.

If you can't make the Phoenix event, I'll be in Philly and New York next month so perhaps our paths will cross in one of those cities.

For what it's worth, here's a sampling of audience feedback on my keynote and breakout sessions from our Boston event two weeks ago and our Dallas event that took place in August:

• Kevin was great - perspective with lots of practical suggestions.
• Perfect speaker, enjoyable to listen to.
• Awakening presentation.
• Great speaker, very knowledgeable.
  
• Left me thinking.
• Great job! Very enjoyable.
• Excellent insight and perspective
• Outstanding Presentation
• Good lead into sessions for participants
• Insightful view of foundation related tasks for security
• Set the stage and energy level right
• Kevin is a good speaker
• Really good relevant quotes and analogies
  

Hope to see you soon!

Read More

Information security's bond with e-discovery is strengthening

We're seeing more and more how information security and e-discovery go hand in hand. Here are two new pieces I've written that delve into the subject. I hope you enjoy.

Information security’s tie-in with the e-discovery process

Lax enterprise mobile device management hampers e-discovery

As always, be sure to check out www.principlelogic.com/resources.html for links to all of my information security whitepapers, podcasts, webcasts, books and more.

Read More

Should You Ban Facebook at the Office?

In the whitepaper To Block or Not. Is that the Question?, Palo Alto Networks explores the issue of "Enterprise 2.0" applications such as Facebook, Skype, Twitter and YouTube and how users are now in control of the network. Meanwhile, IT staff is saying "just block it!" and users say "just don't block it!," but it's not that simple. As the whitepaper points out, the real answer lies in your ability to see what's actually going on on the network and then decide on the best fit for your organization.

An interesting bit from the whitepaper is that 69% of respondents to a McKinsey study say their companies have gained measurable business benefits, including more innovative productsand services, more effective marketing, better access to knowledge, lower cost of doing business and higher revenues because of Enterprise 2.0 software (while IT staffers argue the opposite: that these applications DON'T boost the bottom line). Knowing that most traditional security controls will block their software, developers of Enterprise 2.0 applications look for ways to circumvent the system so that employees and other users can get access anyway (necessity is the mother of invention, right?).

For governance to work, IT should play a big part in the definition of policies, but not be the sole owner of those policies (something I've been ranting about for years because policy creation and enforcement is an HR, legal and management issue — not an IT issue). I have a client that's experiencing this very dilemma with social media right now. Company managers want to provide Facebook access for their employees. However, recent malware outbreaks have compromised several company systems and placed its network at risk. They have policies and antivirus software, but not anti-spyware protection which would have (presumably) blocked the
infections. We're now working on a plan for moving forward to keep users happy and minimize business risks at the same time.

These new applications are presenting a Catch-22 that's throwing many small and medium-sized businesses for a loop. There are no good answers right now. If you take anything from this, just know you have to do your homework and understand the risks/benefits. Blocking or no blocking, the angles to this issue are still being worked out — one business at a time. Stayed tuned and, in the meantime, stay vigilant.

Read More