|
|
| Home |
|
|
Posted by News Desk
|
|
Tuesday, 23 June 2009 |
|
Join Brightfly's Managing Director of Research, Brandon Dunlap, as he moderates this morning's panel on log management. Panelists include A. J. Wright, Chief Architect University of Tennessee’s Technical Review Board and Varun Kohli, Sr. Manager of Product Marketing at ArcSight. The focus of this session will be around the cost-benefit analysis of SEIM and Log Management technologies with special attention being paid to the development of business cases supporting these types of projects. Click here to register. Recommend this article...  Comment |  Add as favorites (0) |  Link to this | Views: 126 | Read more...
|
|
Last Updated ( Tuesday, 23 June 2009 )
|
|
|
Posted by Brandon Dunlap
|
|
Tuesday, 19 May 2009 |
Having recently compiled my notes from Infosecurity Europe 2009, I was fast on the hunt for similarities and differences between the views expressed "across the pond" and those held by the US markets. While there is longstanding acceptance about what constitutes a comprehensive and effective security program across both continents, what really stood out was how different our approaches were.
Here in the US, many client companies we work with have been struggling through a "reconciliation" projects of one stripe or another. By reconciliation, I mean the cross-mapping of multiple regulations and industry best practices to one another as a sort of gap analysis for the controls that are being implemented in the enterprise. This practice has been pervasive for at least 5 years when we first began our Illumination project, (acquired by BindView in 2005, now a part of Symantec's ITGRC offering) and continues to this day.
We have watched as vendors have not only promoted this problem, but have actively worked to solve it. There has been a sort of Cambrian explosion in the marketplace as vendors have ramped up the number of controls in the libraries of their products. Archer's acquistion of Brabeion is a perfect example. In the press release, and subsequent media coverage, the addition of Brabeion's controls library was touted as a key benefit of the deal.This arms race shows little signs of slowing as projects such as the Unified Compliance Framework are starting to show up in RFPs for tools in this space.
One of the things we have realized in our research is that having more controls to choose from is not necessarily better. From the end user's perspective, having a product with a gigantic library of controls actually mkes the problem more difficult, since there now needs to be a long and drawn out process of justifying and rationalizing the vendor's content against the risk appetite and audit guidance within the organization. Having more controls implemented is also of dubious benefit, especially since it is not actually indicative of due care (what a reasonable person, in similar circumstances would do). This particular problem is the genesis of our latest effort, The Consensus Controls Project , a portal where organizations can anonomously share what controls, regardless of origin frameowrk, that they are actually using.
Contrast this approach to what we saw in the UK. While there were many booths on the expo floor from the US heavyweights in the IT GRC space, and many UK-based start-ups, the attendees didn't seem to understand GRC as a concept. The term itself was often met with confused looks that ended upon explanation (usually starting with defining the acronym). Nearly every person I talked to, regardless of organization type (public sector, private, publically traded, etc.) or size, seemed to be focused on ISO 27001 and certification. They saw this as a stamp of approval on their security program by an independant outsider and one worthy of pursuing for competitive advantage. When pressed about other control frameworks, such as COBIT, we were quickly dismissed. What these people saw was a need to get back to basics. Considering our long held view that nothing has fundamentally changed in information security in nearly 30 years (exept for the underlying technology, the basics still apply), this viewpoint resonated with us.
To sum up, what we found was that the people we talked to in the UK were more focused on picking a framework (in this case ISO's) and working to be the best that they could be at managing to that framework, as opposed to cobbling together a controls environment from multiple frameworks and working to reconcile it internally.Recommend this article... Comment | Add as favorites (0) | Link to this | Views: 342 | Read more... |
|
Last Updated ( Wednesday, 27 May 2009 )
|
|
|
Posted by Brandon Dunlap
|
|
Wednesday, 22 April 2009 |
|
The problem being faced is really not so different from the age old advertising problem of reaching the right audience with the right message, at the right time. Having developed security awareness programs based upon advertising and marketing models in the past, I suggest the following: Define the target audience Not all messages will resonate with, or be accepted by, all audiences equally. That means that the user population should be segmented into distinct groups, each getting targeted with messages that are tailored to their “demographic”. For even the largest of organizations, it is rarely necessary to segment beyond 3-5 target groups (for example: Executives, Middle Management, Employees). Tailor the message Since each group has their own worldviews (not just on security issues, but also on corporate culture, their standing in the organization, the requirements for their job, etc.) it is important to use language and messages that take these needs into consideration. A good place to start in crafting your message is to consider how you would approach conveying the topic to the target audience member in a conversation. Composite personas work well for creating “use cases” for the conversations. You can then work within the communications group to establish appropriate wording and the level of formality that is appropriate for each persona or group of personas if more than one is created for each demographic slice. You will also want to consider who the sending party is in each message. If you can “borrow” authority from the executives on an important topic, that might give the message higher receptiveness than one coming from Corporate Communications or Security. Plan the campaign According to some estimates the average person gets bombarded with 3000+ advertising messages per day. Since you are within the confines of your company, this number is lower since I am assuming you don’t allow major brands to put up billboards in your offices. The reason we are inundated with marketing messages is that it has been shown that it takes multiple attempts to reach us in order for the message to sink in. It has also been shown that utilizing multiple mediums increases this effectiveness. By taking a campaign based approach, you can target key messages across posters, brochures, e-mail messages, presentations, etc. to increase the retention of the material being offered. Test the campaign This is a luxury that allows you to craft a series of messages on a given topical area and deliver them over time. The benefit to this is that you hit each person with multiple instances of the same message, but each one should be crafted and communicated slightly differently. Each message then reinforces the previous, or hits where that one missed. With a defined messaging campaign, you can then test each message for its effectiveness against a target population. You can use tools you probably already have to search on the number of your messages that are sitting unopened, or in people’s trash folders on the mail server. This will help you better adjust your subject line to ensure they at least open the message, for example. These techniques are just a start, but hopefully will offer you insight into a new and interesting way to view your awareness campaign and will give you an idea of how to define for the communication’s team how best to address the issue of getting the word out to the masses. Recommend this article... Comment | Add as favorites (0) | Link to this | Views: 324 | Read more... |
|
Last Updated ( Wednesday, 22 April 2009 )
|
|
| | << Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
| | Results 1 - 4 of 65 |
|
|
 |
|
