The Security Catalyst

Greetings from Sierra Vista, Arizona with a long overdue update. While I may have been quiet (rare, I know), I have not been idle.

A few months ago I was focused on tracking down security fundamentals - and how they need to be applied; last week I was able to craft an intense training section that brought a group of professionals through a unique training class designed around that very concept. It was a great week and really has me energized (despite the need for sleep).

I also shared some insights from Into the Breach with a group at Fort Huachucha yesterday. The best part - for everyone, myself included - was the hour-long conversation that ensued after the keynote. We talked about current challenges and how we can face them by addressing the true problems (not the symptoms) and how to engage people to take responsibility while increasing our ability to hold them accountable.

We are going to take some time today to visit Bisbee, AZ before heading up to Tempe, AZ tomorrow. This is our final “pre-tour” trip as we work out the kinks of driving cross-country in the RV multiple times a year, running the business and spending time as a family. This trip was much smoother than the spring “expedition” and we are already looking forward to the onTour launch in September!

As we make our way back to NY, here is our schedule for the next two weeks:

Phoenix, AZ

I love Phoenix and look forward to catching up with a lot of good clients, friends and even some new faces.

Arrive: Wednesday, August 20, 2008

Depart: Friday, August 22, 2008

Staying here: http://www.apachepalmsrvpark.com/

Dallas, Texas

We have a lot of friends that we hope to see while we stop in Dallas. The best part of traveling by RV is the complete flexibility to see clients, potential clients and friends (most of whom were once clients or will be clients). We really enjoy life as a family and seeing the country in a way that allows us to work with people we would chose to spend time with!

Arrive: Saturday, August 23

Depart: Monday, August 25

* we have not yet picked a park, but these are the top three options - have experience or insight? Drop me a line *

http://www.treetopsrvvillage.com/

http://tradersvillage.com/en/grandprairie/rv

http://www.cowtownrvpark.com/

Atlanta, Georgia

** Will be meeting some friends and potential clients to discuss how Into the Breach influences “Awareness that Works”; I love the opportunity to discuss my passions and share research. I’m really pumped about this!

Arrive: Tuesday, August 26

Depart: Thursday, August 28

Staying here: http://atlantasouthrvresort.com/

Potential other stops on the way “home”

•       Considering a brief stop in Charlotte, NC
•       May take one more trip to Hershey Park (need to find a connection at the Hershey Chocolate company - we’re there so much!)

Are you along our path?

If you are along our path or in one of the cities where we are touching down, I would love to meet, say hello and can offer you a preview copy of Into the Breach!  I am currently tweaking the onTour website in time for our September launch and will be announcing the 6-week onTour Fall leg in about a week or so.

Other Quick Updates

•       Four podcasts are lined up, including the Pop Culture Security, Breach Breakdown and Security Roundtable!
•       Despite my compressed schedule, my brain has not stopped; I have been working on a series of articles to share
•       I have a special report on “freeware” that I will be releasing next week; this was a real change in thinking for me and I look forward to sharing what I learned with you.

Book Updates

•       The kindle book should be available this month
•       The eBook should be available this month
•       The hardcover book will be available September 16, 2008 (we’ll be picking up 500 copies on our way to Nashville, TN)
•       The book can be pre-ordered here: http://atlasbooks.com/marktplc/02353.htm

If you enjoyed this post, make sure you subscribe to my RSS feed!

As I wrap up my week in Las Vegas and prepare to head to Sierra Vista, AZ, I will be offering preview copies ofInto the Breach. I’m going to wander down to the Vegas strip this afternoon/evening - if you’d like to get your hands on a copy, please send me an email (michael at this domain) or direct message me on twitter: http://twitter.com/catalyst

We are heading out from Vegas Saturday morning and will stop briefly in Phoenix around noon. We’re hoping to meet some friends for a quick bite to eat and then head on down. We’ll be coming back through Phoenix on the 18th and tentatively sticking around for a day or two.

I have a “Protect Your Business by Managing People, Information and Risk” keynote on the morning of the 18th - and would be happy to explore working with your team as we work our way back across the country. I have an intense 10 days in front of me - but continue to develop content for the blog, have some special reports I look forward to sharing and more awareness and breach podcasts coming up.

I am also working to publish the updated fall speaking schedule - which will see us criss-cross the country, providing many opportunities to meet, work with companies and families around the country and have some fun!

If you enjoyed this post, make sure you subscribe to my RSS feed!

With Into the Breach about to go to print, it is time to start looking at what we can learn from security and privacy breaches. Adam Dodge and I — along with some guests — are going to take a monthly look at a noteable breach or two in an effort to learn and share insights. We plan to keep these episodes short, and peppered with insights that make the breaches real. We will cut through the hype and present useful information.

PS: Hardcover books are scheduled to be available September 16th. Preview copies are available today and I’ll have a stack at Blackhat and during the next Catalyst onTour trip!

Meantime, check out Adam’s excellent site: http://www.adamdodge.com/esi/

If you enjoyed this post, make sure you subscribe to my RSS feed!

(after reading that title, are you singing the theme to Love Boat yet? If you are, and you miss the program go watch a full episode now: http://www.cbs.com/classics/the_love_boat/)

The book is being printed (finally!). The preview copies are being mailed out. And we have been in the same spot for a few weeks now. It is time to load up the coach and head back out on the roads! Our “ship” is not as big as the Love Boat, but the adventures never cease, and we’re ready for the next one.

What was initially conceived to be the “Campaign Across America” has evolved into the more appropriate “Catalyst onTour.” We have the “tour bus” and a desire to see as much of the country as we can. Unlike a rock band going on tour, we have more of a grass-roots approach and a powerful message: each of us makes a difference when it comes to protecting our information, our identities, our children. As the tour rolls on, we seek to bring that message of optimism and support door-to-door. Seriously.

To better explain the Catalyst onTour concept, approach and benefits to business, families and even potential sponsors we are in the process of setting up the catalyst onTour website (hopefully before we leave again in July; it’s next after we update the book website). Minimally, this site will allow you to keep in touch and join (if only virtually) our efforts through writing, pictures, audio and video – and ask questions, make suggestions and otherwise get involved and make a difference!

The July/August Route
RVs are fluid. So the final route is a bit up for negotiation right now (and quite frankly, if you’re on the way and would like to work with me, you can easily influence the route). We expect to leave near the end of July and may actually start with a brief stop in Hershey, PA (home of Hershey Chocolate and Hershey Park). Then we’re heading toward Las Vegas. After our stop in Arizona, we may head up the West Coast into California, or we may head back East across Texas, into Tennessee, Georgia and then back up North to New York. Then again, anything can and does work when in an RV (try doing that in a plane!).

Tour Leg Anchor Events
This tour leg is currently being anchored by two events with fixed dates:

• Black Hat in Las Vegas for some semi-private events: August 4-7
• Sierra Vista, AZ (private event) week of August 11 - 15

Potential Cities and Stops Along the Way
While we have traveled the length of Route 80 before (though not on this trip), this will be an exciting opportunity to see some new cities (and welcome the family to some new States). Potential stops include:

• Des Moines, IA
• Omaha, NE
• Denver, C)
• Phoenix, AZ

On the way home, we have a lot of options - so if you are somewhere between Arizona and Upstate NY - let us know and we will try to work something out. We are currently planning to circle back to Upstate NY during the first week of September. This gives us a few weeks home before setting out on a series of speaking engagements and client working sessions, a potential trip to Orlando and whatever else influences some onTour segments.
In the meantime, if you want to get an advance copy of the book, learn more about how the tour can help you meet your goals (for example, awareness), raise your profile or even energize your team before the fall… give us a call (800.996.8351) or send me an email (securitycatalyst /shift-2/ gmail.com).

Technorati Tags: catalyst, catalyst onTour, blackhat

If you enjoyed this post, make sure you subscribe to my RSS feed!

The last article in this series explored the top three reasons why group have a tendency to reinvent the wheel (read it here, or the entire series started here). And now, some solutions:

Beyond the frustration caused by an approach that simply recreates the wheel, the result is often a solution that is not trusted and therefore readily cast aside in favor of the next offering. To put a stop to this cycle requires taking a different approach. Success has to be based to fundamentals and sound principles.

How to do it?

A key part of the solution is to enter into deliberate discourse (note: this is a central theme of Into The Breach and a topic I am passionate about). More voices with an opportunity to review, consider and contribute have the potential to lead to a better product. For this to lead to a better product requires a strong leadership team with enough expertise to guide and the skills to help facilitate and negotiate the final result.

Instead of starting with a blank slate, it is a good practice to build on the success of others. When it comes to strategies that protect information, we have plenty of choices – frameworks like ISO 2700x, PCI, FISMA, etc. However, limiting the solution to a narrow set of industry standards may not yield the best results. Sometimes, real progress comes at the intersection of industries (to gain more insight on this approach, consider reading: The Medici Effect) – leveraging how the medical, engineering or other industries have dealt with and handled challenges may bring valuable insight to the effort at hand.

The advantage to building on the validated and transparent work of others is the ability to avoid conjecture and “gut feeling.” This is the challenge: there are few shortcuts to spending the time to outline, think, plan, distill, check, cross-reference. This is an area where transparency really provides a benefit.

When the group of professionals is assembled, here are three steps to harnessing the collective power, building on the wheel (instead of building a new wheel) and reaching a point of success:

1. Capture and distill frameworks (or solutions)

Start by presenting a model to work from, based on an existing solution. In general, individuals and groups struggle to create but excel at editing and revising. With this in mind, selecting an initial framework or set of solutions to present to the group acts as a strawman [http://en.wikipedia.org/wiki/Strawman]. This has the added benefit of allowing people to beat on the framework(s) instead of each other.

The frameworks or solutions can either be selected in advance or decided by the team. Allowing the team to decide may provide for more diverse results but requires more time and a stronger facilitator (who possesses deep subject matter expertise). Stronger frameworks and solutions are those that have already been publicly validated and are more transparent. This suggests the “heavy lifting” has already been done and the team can focus on refining and tailoring what already exists from multiple sources into the solution required.

More important that just compiling a list of viable frameworks and solutions is how they are captured and processed. As the elements are suggested, reviewed and documented, look not only for the similarities, but also the distinctions between them. Working to understand why specific elements were either included or excluded may also reveal key insights that aid the development of a stronger solution. Note the intended audience and users of the solution and how it is received. It may be useful to note the level of maturity, too (since that provides some insights).

This process generates a lot of discussion – this is good, and leads to the second point.

2. Capture and distill the running dialogue

More important, perhaps, than the solutions selected in the last step is the running dialogue that occurs as part of the process. Yet few organizations take the time or make the effort to capture that solid gold value.

Ultimately, the discussion – the true process of negotiation and coming to a common understanding – is precisely what allows a group to build the final product. While the discussion is natural, here are three important questions to ask, answer and record during this process:

a. What works — and why?

b. What does not work — and why?

c. How is this applied — and why?

Look for specifics. This is an area where people tend to rely on “truthiness” – which, to a certain extent, may be okay. In the overall discussion, however, guide people back to more concrete grounding by asking more questions to ensure everyone shares a common understanding (which is not necessarily the same as a common opinion!). The next segment will explore the benefit of capturing this conversation and making it available in the future.

As the conversation continues, there is one more step to increase the overall value.

3. Capture and distill references

The value of having experts together in a room is their collective knowledge – informed by experience, training and a vast array of resources. Therefore, it is incredibly valuable to regularly ask this group to cite the references they find of value.

As the discussion rages on (if you have been part of a working group, rage is definitely the right word), asking people to take the time to cite the references that support their assertions returns focus to the fundamentals.

Not only does this improve the overall framework, but this also improves how it is applied and verified (as we will explore in the next sections).

Bottom Line

Bring together a small, tight team that works well together. Welcome as many voices into the process as reasonable. Take the time to distill and overlay what already works.

How this Applies to Trustmark

When Trustmark gets this right, it will essentially be an overlay on the entire industry – explaining where, how and why the different control families and control objectives can be met. This is important, since it allows for additional regulations or efforts to be acceptable without prescribing a set way of working. But whether working on Trustmark or a new process to protect information, following these steps leads to a stronger - and more trustworthy - result.

Up Next: the second challenge facing Trustmark and similar efforts is in how the solution is applied. We examine this challenge with potential solutions before moving on to the final challenge of how the solution is measured and verified.

If you enjoyed reading this article, please take a moment to either subscribe to the RSS feed (www.securitycatalyst.com/feed/) or sign up for free updates by email. Use the buttons below to print this article or share this with friends and colleagues that will benefit from this.

If you enjoyed this post, make sure you subscribe to my RSS feed!

One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation - especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face.

So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey - no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas - and then boom - we recorded.

I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed - my mind was still engaged. I hope you have a similar experience when listening!

Find the show notes here: http://netsecpodcast.com/?p=48

And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3

(PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows - you may want to unsubscribe and resubscribe.)

If you enjoyed this post, make sure you subscribe to my RSS feed!