Security

Defining Information Security

Leave a comment

Here is a short report called “Ingredients for hiring a good information security professional”. Perhaps most notable is the advice to define the job well:

One of the biggest information security hiring mistakes can happen long before the first interview – not clearly defining the role being filled. Start by detailing the goals and objectives that the role is expected to accomplish:

– Is the role operational or strategic?

– Management or delivery?

– Compliance or operations?

– Centralized or business unit specific?

– Tied to an application or general to the enterprise?

– Will the person be focused within a small team or reaching out to business unit leaders?

– Are there internal and external communications expectations?

The answers to these questions will go a long way in helping qualify potential candidates.

A more subtle variable is the role of information security within the organization and its direct and indirect reporting relationships. This role could interact with the chief information officer, chief security officer, chief risk officer, IT audit, general counsel and multiple business units – not to mention executive management and the board of directors. Once again, by understanding what is expected, key candidate strengths and capabilities can be defined and assessed.

At first glance this might seem blatantly obvious to any hiring manager. You must know the position well to find the right match. However, the field is relatively young and evolving rapidly so I would argue that definition of the position is even more vital than expressed by the authors. And by that I mean people need to assess exactly where and how in the organization they will operate and what levers they will be expected to know how to push and pull.

There are few organizations or widely-accepted references available that define what exactly a good information security role should look like a year or two from now. And even the good ones struggle to map emerging technology (biggest risks?) to old control language — what do we do about ubiquitous wireless networks when we are required to harden the “perimeter”? This sort of issue always gets me thinking about the speed at which skills become obsolete: is a TV expert someone who can rebuild your television set, or someone who can help you estimate the best time for replacement and pick out a new one with the right feature set/value ratio?

Software security still feels like it is in the primitive state of men hunched over soldering irons and circuit boards, but it will not be long before the assembly lines speed up, the quality/cost model shifts, and the role of security fundamentally changes to address the new (most relevant) risks. That might seem a bit esoteric, but I used to manage a group of engineers who literally de-soldered and rebuilt CRT displays. Similarly, I now hear about positions where security is to be a strategic and business-oriented practice (a fine blend of politics, economics, and polisci) instead of a hands-on firewall wrangler position or a patterns/exceptions expert.

The market for security talent certainly seems to be expanding as more businesses realize information is flowing everywhere all the time and they need to do something about the risks, even if they are not sure exactly what. The dearth of good role-models, templates and examples provides interesting opportunities for leadership, with many more changes ahead.

Energy, Security

Clinton on Prop 87

Leave a comment

Interesting comments from Clinton on the economics and risk issues behind Prop 87

Now, I know the oil companies have trotted out some economists in their ads. But let me ask you something: If they really thought you were going to pay for this, would they be spending all that money trying to convince you to vote against it? You need to know that California is the only state in America without any kind of extraction fee on its natural resources on oil.

I like that. Well said.

I come from a state, Arkansas, where we had an oil and gas severance tax. It never makes any difference in the price. It’s set in the market. There are plenty of states with very, very high severance taxes, much higher than Prop 87 would impose here, that have less expensive gasoline. Believe me, this — all this campaign is a ruse. This is designed to slow down America’s transformation to a clean, independent, energy economy.

And I want you to think about it, all of you students, not just from the point of view of climate change, but also our national security. Aren’t you tired of financing both ends of the war on terror? And think about — think about it from the point of view of our economic security. We are now in a period for the first time ever when we’ve had five years of economic growth, a 40-year high in corporate profits, five years of increasing worker productivity. So the people who are working for us are doing a better job every year, and yet wages are stagnant, poverty is going up among the working poor, and the people without health insurance that are working and their children are increasing.

Now, why is that? That is because we have not found this generation’s new jobs.

True enough. The economy is being stifled by giant fat companies who fear innovation and threats to their strangle-hold on margins. But even more pointedly:

And I cannot tell you how strongly I feel about this. The argument that this is going to raise your gas prices is just bogus. It’s not so. All my public career before I become president — and I’ll say it again — was spent in a state that used to have a lot of oil, still has a lot of natural gas. Nobody in the whole wide world ever thought that measly little extraction tax we had had anything to do with the price people paid for their natural gas or their gasoline. No one. The only way they can even put these ads up and make this argument is that you never had it, so you don’t know. Take it from me. I’ve been there. I lived in a place that had it. It will not make a difference to the price, but it will make all the difference in your future. All the difference in your future.

Tough words from a guy who lied under oath. Despite his past personal issues, it is easy to see that he is 100% right about the economics and risk of Prop 87.

Oh, and I also read an article about Gore’s speech on this topic, but more interesting to me is the anti-Prop 87 statement in that same article:

“When you look at what’s in there, it’s clear to see what harm it would do and it’s totally unclear there would be a benefit,” DeLuca said. “There’s no guarantee that at the end of all this … we’d see anything for the $4 billion.”

Clear harm? I’m afraid I do not follow. What “harm” is there from taxing companies who are extracting natural resources? A decrease in production? That is about as likely as finding WMDs in Iraq. There is no clear “harm” to the taxes. In fact, the second part of DeLuca’s argument gives this away when he reveals his weak grasp of risk management. Do the oil companies only drill when oil discovery is guaranteed? No, they blow hundreds of millions of dollars on prospecting and research. Now, imagine if they made the same/similar investment in another potential source of energy…they might not find the biggest discovery in history, but even a few minor successes would go a long way towards the goal of reduced emissions, new jobs, and independence from petroleum.

History, Poetry, Security

Macavity: The Mystery Cat

Leave a comment

by T. S. Eliot (1888-1965)

Macavity’s a Mystery Cat: he’s called the Hidden Paw —
For he’s the master criminal who can defy the Law.
He’s the bafflement of Scotland Yard, the Flying Squad’s despair:
For when they reach the scene of crime — Macavity’s not there!

Macavity, Macavity, there’s no on like Macavity,
He’s broken every human law, he breaks the law of gravity.
His powers of levitation would make a fakir stare,
And when you reach the scene of crime — Macavity’s not there!
You may seek him in the basement, you may look up in the air —
But I tell you once and once again, Macavity’s not there!

Macavity’s a ginger cat, he’s very tall and thin;
You would know him if you saw him, for his eyes are sunken in.
His brow is deeply lined with thought, his head is highly doomed;
His coat is dusty from neglect, his whiskers are uncombed.
He sways his head from side to side, with movements like a snake;
And when you think he’s half asleep, he’s always wide awake.

Macavity, Macavity, there’s no one like Macavity,
For he’s a fiend in feline shape, a monster of depravity.
You may meet him in a by-street, you may see him in the square —
But when a crime’s discovered, then Macavity’s not there!

He’s outwardly respectable. (They say he cheats at cards.)
And his footprints are not found in any file of Scotland Yard’s.
And when the larder’s looted, or the jewel-case is rifled,
Or when the milk is missing, or another Peke’s been stifled,
Or the greenhouse glass is broken, and the trellis past repair —
Ay, there’s the wonder of the thing! Macavity’s not there!

And when the Foreign Office finds a Treaty’s gone astray,
Or the Admiralty lose some plans and drawings by the way,
There may be a scap of paper in the hall or on the stair —
But it’s useless of investigate — Macavity’s not there!
And when the loss has been disclosed, the Secret Service say:
“It must have been Macavity!� — but he’s a mile away.
You’ll be sure to find him resting, or a-licking of his thumbs,
Or engaged in doing complicated long division sums.

Macavity, Macavity, there’s no one like Macacity,
There never was a Cat of such deceitfulness and suavity.
He always has an alibit, or one or two to spare:
And whatever time the deed took place — MACAVITY WASN’T THERE!
And they say that all the Cats whose wicked deeds are widely known
(I might mention Mungojerrie, I might mention Griddlebone)
Are nothing more than agents for the Cat who all the time
Just controls their operations: the Napoleon of Crime!

I can get behind it, up until the end. Napoleon was devastated in Waterloo by Wellington and the Coalition army…who/what would be the defeat of Macavity? Could it be Sherlock Holmes?

Security

Chinese hunt and kill Tibetan nuns

Leave a comment

More chilling details are now coming to light regarding the Chinese practice of hunting down and killing Tibetans who try to emigrate via remote snowy mountain passes:

As morning dawned on Sept. 30, Kelsang was trudging through chest-deep snow. Her pack was nearly empty. “For the last three days we had no food,” says Thupten Tsering, a monk who is seeking religious freedom in India. At a press conference Monday in New Delhi, he and others recounted their escape for the first time.

The group was walking single file and had just reached the 18,753-foot Nangpa La Pass when they heard the distinct “zing” of bullets passing on either side. “They were shooting all around,” says Tenzin Wangmo, one of three nuns walking directly behind Kelsang. They never saw the Chinese policemen. “When the shooting was going on I just prayed to His Holiness the Dali Lama to kindly save us,” she recounted softly.

When a bullet hit young Kelsang, she collapsed into the snow, crying that she had been hit and asked for help. But the nuns themselves were weak with cold, fatigue, and hunger. Still Ms. Wangmo says she made an attempt to grab the fallen woman’s arm and pull her along. She was unsuccessful, she says: “There was a monk from the group who said, ‘She is dead – if we don’t run away we will all be finished.’ “

Amazing to read that the official Chinese explanation is that the border patrol was acting in “self-defense”.

My previous post on this is here.