The Security Catalyst

After a decade of participating in certification workshops (and similar events like program and solution development), I have witnessed an interesting trend emerge: ask ten professionals to define a term or concept and get twelve answers. Rarely these answers are tied to a standard framework or definition; instead, they tend to be based on the experience of the expert being asked (or offering their opinion anyway). In my experience, the resulting workshops muddle the opinions together to produce a result people claim pride in (because they have their own opinion incorporated) — but it rather than building on the wheel, it often reinvents the wheel.

Note: this can be easily tested. With the new awareness of the trend, look for it during a meeting, workshop or even in the stream of answers given on a mailing list of professionals. In most cases there will be a flood of answers that *seem* correct, but lack references or links. While this is not always a bad thing, it often leads to confusion and complication.

While this may not happen to all groups, it certainly happens to a lot of them. Why else do we have so many frameworks to assess risk? When you really dig into them, they all advocate essentially the same thing but with a variety of tools and ways to do it. Most “security” professionals feel that none of them is complete and continues to search for the holy grail (which means they decide to build it better).

This is an inherent challenge –- and benefit –- to working with a team of experienced, dedicated and passionate professionals: each has tremendous value to contribute based on their experience. The problem lies in distilling the various experiences into a useful solution instead of working to muddle them together into something that looks like the wheel we already have, but only slightly different (and not necessarily better).

In order to prevent the unnecessary reinvention of what already exists — and use time and resources to get better results — it is important to first understand the three main reasons this happens (tomorrow, we explore what to do about it):

1 - “Truthiness” Strikes Again!
If you have not (yet) watched The Colbert Report, “truthiness” is the term he coined, defined as:

“things that a person claims to know intuitively or ”from the gut“ without regard to evidence, logic, intellectual examination, or facts.” [http://en.wikipedia.org/wiki/Truthiness -- this is entirely worth the quick read and consideration]

There is too much “truthiness” in security today — inherent in the myriad of certifications, frameworks and solutions — and the industry overall. I suspect it is a result of exerting professional opinions combined with a [perceived] lack of time to back it up with references. This is, quite possibly, the single biggest challenge the industry faces right now: put enough experts in the room and everyone has an opinion that is a shade different from the others.

The paradox is these different opinions are precisely what is needed to distill to the core essence necessary for an effective solution. These opinions need to be captured, tied back to references and distilled for important elements. However, when faced in a group setting of experts, each person has an innate desire to share valuable information and insights; everyone wants to be “right.” Just because someone “claims it so” doesn’t make it true (even if it is written on the Internet).

Truthiness brings an unintended consequence: personal emotional involvement. It is easy to make a statement of “fact”, but more difficult (albeit necessary) to back it up with references and data that support the point. Call it ego, passion or whatever you want. Whether relying on a priori or a posteriori knowledge (I had to look it up, too: http://en.wikipedia.org/wiki/A_priori_and_a_posteriori_%28philosophy%29 - hat tip: Lori Mac Vittie), individual emotion and reputation becomes entangled in the result; this introduces unnecessary complication that muddies the end result.

(Pick the Brain recently ran a great post about this: Is Truthiness Holding Back Your Blog? — if you’re not reading this regularly, you should consider it)

2 - Failure to Focus on Fundamentals
The value of pulling together a team of professionals lies in their collective experience. These experiences inform opinions that are important when used to explore or contrast fundamental concepts. The challenge is ensuring the opinions are couched properly and tied back to the appropriate fundamental concepts. All-to-often, fundamentals — which take time to review, distill and cite — are left by the wayside. People accept “close enough” as being “good enough,” when, in fact, it is not (well, except for horse shoes and hand grenades).

Over time, a tight grasp on fundamental concepts is loosened. As experience colors fundamental understanding, individuals accept “close enough” and rely on truthiness (afterall, it works in their professional lives). Failing to focus on fundamentals (or at least reference sources) leads to confusion of language resulting in wasted time and effort. This extends beyond the current session to future sessions where the specifics of the discussion have long since been forgotten. By failing to establish anchors to accepted standards, definitions, resources or other fundamentals, the essence is lost. As a result, it is difficult, if not impossible, to make meaningful progress.

Using language to reach a truly common understanding requires constant and skillful negotiation. Success comes when those involved work together to build a common set of anchors. Without a similar frame or grounding to the same perspective, it becomes increasingly difficult to reach the same conclusion.

3 - group think prevails

“Groupthink is a type of thought exhibited by group members who try to minimize conflict and reach consensus without critically testing, analyzing, and evaluating ideas. During groupthink, members of the group avoid promoting viewpoints outside the comfort zone of consensus thinking. A variety of motives for this may exist such as a desire to avoid being seen as foolish, or a desire to avoid embarrassing or angering other members of the group. Groupthink may cause groups to make hasty, irrational decisions, where individual doubts are set aside, for fear of upsetting the group’s balance.” [http://en.wikipedia.org/wiki/Groupthink]

Here is where this applies: most of these groups have few arguments. The few challenges that exist tend to be heated and passionate discussions centered on two different positions, both relying on truthiness. The sad reality is that most people have forgotten (or never learned) how to challenge and argue effectively.

This lack of practice in participating in argument is also hampered by the personal emotion. When the argument is centered on the idea of a person instead of a fundamental concept and how it is applied - it feels like a personal attack to the person who suggested it. And sometimes, it probably _is_ a personal attack. Regardless, it does not represent a constructive approach toward real results.

Realizing the conflicts are unproductive (and sometimes uncomfortable), groupthink kicks in. It is further compounded by those who are less certain of the facts who decide to remain quiet lest they be branded as unworthy of participation. The natural instinct is to presume the other person knows more and avoid the embarrassment of being wrong. So instead of vigorous and productive conversation, the group is met with tactic approval (and sometimes whispers in the corners).

Passion expressed as truthiness that is not anchored to references gives way to groupthink. The resulting product often resembles a reinvented wheel, instead of a solution that takes advantage of the good wheels already developed.

Your New Wheel (wait, did you want a new wheel?)
What about personal pride and taking ownership of the solution?

While “ownership” is believed to lead to better results (the whole concept of responsibility addressed in Into the Breach), few people want to own the efforts of someone else. Personal investment clashes with the fashionable approach of rejecting solutions “not made here” (which would take another series to explore). Basically, everyone wants to build their own, better solution (for various reasons). Unfortunately, as the process unfolds, the three elements outlined above combine to create an end result that the very professionals involved often distance themselves from. Personal pride turns to hurt emotions and bitter feelings. And the search for a new solution kicks back in.

How to overcome these challenges and build a successful framework/solution will be tackled in the next segment.

Technorati Tags: catalyst, comptia, fundamentals, groupthink, into the breach, trustmark, truthiness

I am going to continue my examination of the CompTIA Security Trustmark by sharing some challenges inherent in groups — and then revealing some simple steps to overcome those challenges. Read Part One or engage in the conversation.

As noted earlier in the series, Trustmark initially eases the path for “channel vendors” to gain confidence in their VARs. Regardless of whether each vendor is conducting some level of “due diligence” today (or not); by working together on a common framework and audit standard, churn is reduced while assurance and confidence increased.

Trustmark may be currently focused on the 20,000+ members of the reseller community, but I see a short path to benefitting the fortune 500 companies seeking to complete their due diligence on smaller partners. I even see a path for doctors, lawyers and other professionals. Much like BITS is becoming an accepted standard for large organizations [download the framework here: BITS Framework for Managing Technology Risk for IT Service Provider Relationships], Trustmark can do the same.

Three Challenges to Success
Whether developing the Trustmark, working any type of certification or developing a new process, there are three broad challenges to ensuring a successful outcome:

1. building the framework/solution
2. applying the framework/solution
3. verifying the framework/solution

The balance of this series will explore each of these challenges to reveal what happens and how they can be successfully met. Seems that each time I sit down to work on them, I learn (and the article expands). To make it more readable, I’ll be breaking these down into a series of of readable columns. However, if there is enough interest, I’ll pull them together in the end for a cohesive paper and make it available for download. I know that I’ll be referring back to this research to avoid mistake in future efforts.

Technorati Tags: catalyst, comptia, BITS, trustmark

Earlier today we received the shipment of “preview copies” for Into the Breach. This is the first book that I authored by myself (as opposed to contributing) - and it took longer than expected. Despite the delays, the entire journey has been amazing!

To open the book and hold the finished (albeit preview) product in my hands felt cool.Okay, I did a little happy dance in the office. Then I realized that the book website is out of date (and is slated for massive overhaul next weekend). We’re also working on the link for pre-orders and a final ship date for the Hardcover version…. mind racing, pressure building, I got back to work.

Just now, my children came home. My son actually snuck into my office (he’s getting good!), walked up behind me and yelled “Congratulations” and gave me a huge hug. He was as excited as his birthday when I handed him his own copy. He looked me dead in the eye and told me, “Daddy, this must have taken a lot of time. I am very proud of you.” His entire body let me know he was excited. And proud. A minute later, my daughter came running in, cheering for me. She immediately asked for her copy, hugged me and told me the book looked “great.”

The tears welled up as they scampered upstairs to put their books in “a safe place.”

I didn’t write this book for the sake of writing; rather I wrote to shift thinking and change behaviors. I asked, “What if breach isn’t the problem?” and then spent a few years blending and distilling sociology, psychology, applied economics and experience with technology to share some insights and suggest a path. I wrote to make a difference. The process of writing involved the entire family - and for that, I am grateful.

Holding the book today was an awesome feeling. And yet it was quickly trumped by the simple celebration and pride my children took in me. This is what really matters. Today is a day to remember.

Update: My parents and Grandmother came by for dinner. My son ran out to meet them - book in hand. Couldn’t wait to tell them “how totally awesome Daddy’s book is.” Totally an awesome day to remember.

Technorati Tags: catalyst, into the breach

How hard is it to build trust?

“When people honor each other, there is a trust established that leads to synergy, interdependence, and deep respect. Both parties make decisions and choices based on what is right, what is best, what is valued most highly.” –Blaine Lee

In my last article, I introduced the efforts of CompTIA to address a growing need in business today with the Trustmark certification.  The Trustmark, initially focused on small and medium-sized VARs, represents a promising step forward in how businesses demonstrate and verify they protect information. As outlined in part one, I see a far larger benefit for small and medium businesses everywhere – provided Trustmark is positioned and grown properly.

Note: The more I think about Trustmark and the challenges of getting it right, the more I see vast potential. As such, I’m lengthening this article into a series of posts to share more ideas and invite constructive conversation.

 

The Challenges

Now I turn my attention to addressing the key challenges – with suggestions on how to meet and overcome them. This is also a call to action for professionals to come together to tackle these challenges industry-wide.

When I left the Trustmark workshop, I sensed the start of a necessary program that is heading in the right direction. In the weeks since, I have continued to consider the approach – and the challenges that must be overcome — in the context of my own experience with frameworks, education and industry measurement.

Aside: these challenges are not unique to Trustmark – these are challenges many of us face every day, especially when it comes to presentations, standards development, projects and our day-to-day activities.

The next few articles will address some of the key challenges and provide some insights – based on my experience – to successfully address those challenges.

1. No Need to Reinvent the Wheel
2. Provide Transparency with Support
3. Establish a Sound Audit Process

Make a Difference

While you may not (yet) share my enthusiasm for a way to verify how vendors and other businesses protect information, your experience, concerns, insights and ideas are essential to the success of this and other efforts. So – reach out to me by email, telephone, twitter or join me in the Security Catalyst Community to sound off.  I’m interested in any and all feedback – especially from small business owners, VARs, vendors, anyone who has been through this process. 

By blending our voices and experience together, we are able to influence positive change (while actively considering and addressing unintended consequences).

Stay tuned… 

“What questions do I need to ask to make sure my vendor is protecting my information?”

I got asked that question last week from a new client working through the Protecting Information Program (PIP). Following the PIP process, he realized vendors were supporting key systems — raising questions he could not answer. He needed more assurance that he wasn’t taking on unnecessary risk – and was looking for guidance. It is a good question. The challenge, however, is to provide an equally good answer.

Traditionally, the answer to that question is focused on the vendor employees in terms of how many hold a security certification (my status as a CISSP Instructor has been valuable in the past). This is better than nothing, but all-too-common is the situation where the cobbler’s children wear no shoes (or the modern adaptation where the contractor’s spouse never has anything fixed around the house). 

Instead of relying on individuals holding certifications, some turn to checklists. Checklists are both good and dangerous (I feel another post coming on about my experiences with developing checklists). Checklists that are simple easy-to-understand and as easy to apply/answer are more effective. But what happens if the business asking the questions lacks the experience to gauge the answers?

We need a better solution.

I recently got an insider’s look at a better solution: The Security Trustmark, a new organizational-level certification being developed by CompTIA. Some limited information is available here: http://www.comptia.org/sections/trustmark/

From their website:

The CompTIA Security Trustmark is a vendor neutral accreditation around security business capabilities and processes that have been agreed upon by the IT industry to promote generally accepted security practices that will invoke the trust of end-users.

The objective of the CompTIA Security Trustmark accreditation is to develop a baseline standard of security practices around service and support business competencies for Solution Providers and Managed Services Providers (MSPs).

After participating in the workshop and spending a few weeks pondering this approach, I want to briefly introduce what I consider to be the benefits of this offering, share what I liked and explain where I see the challenges (tomorrow).

And then I want to learn – join me in the conversation about this whether by email (securitycatalyst - gmail), by twitter (http://twitter.com/catalyst), in the Security Catalyst Community Discussion Forums or by telephone. I want to learn about other models, efforts, and attempts. I want to understand if there are additional challenges for us to consider. I want to understand how this effort is (or becomes) useful to more people.

The Starting Point

Initially, this approach is geared toward small and mid-size vendors and VARS: companies that work within “the channel.” This approach:

• sets a standard for smaller companies to achieve, allowing them to demonstrate to their channel partners they pose less risk to work with
• allows vendors higher confidence across their entire channel
• creates distinction for VARs and Channel Vendors alike that results in competitive advantage

With the growing attention on breaches, privacy and compliance – rather than working to explain all of your measures, think of the power of explaining that you have attained the Trustmark – publicly verifiable and audited.

The Big Picture (as I see it today)

My passion for this, of course, is bigger. In the last few years, a growing challenge for those I work with is defining and explaining the minimum set of acceptable controls to protect information. Equally challenging for larger organizations is designing and employing third-party (vendor) review processes.

This results in a lot of re-creating the wheel. And it increases the cost of business for everyone involved. I have no argument with the need for due-diligence on vendors – but lament every year the lack of a “common application” approach that seems to work for university applicants.

Imagine being able to pre-validate vendors by virtue of having a Trustmark?

Provided the core elements of Trustmark are publicly available (transparent) and regularly maintained to represent the distilled good practices for managing people, information and risk, we collectively take a step forward.

• Businesses know what is expected of them – and will have the opportunity for the guidance and support to take the appropriate actions for their business. They can then earn the Trustmark designation and use that to differentiate themselves for contracts.
• Companies seeking to review vendors can greatly cut down on costs and timelines for vendors with a valid and audited Trustmark. It may not replace the current programs – but it certainly establishes a stronger base to start from and increases assurance while decreasing risk.

Done right, Trustmark is not another reinvention of the wheel. Rather, it provides a clear direction for businesses that distills the best of industry guidance. I envision this operating almost as an “overlay” – where several valid methods to meet the controls are deemed acceptable. This reduces complexity and more naturally meets the needs of those who seek the certification. For example, companies already compliant with HIPAA and PCI should be able to easily earn the Trustmark. At the same time, a company that need not meet any of those requirements is equally able to address and satisfy the controls necessary to get certified.

Over time, I envision this meeting the needs of car dealers, medical offices, bank branches – the very places we visit on a regular basis. I see this as the smartest way to distill the best of our industry and present guidance in simple terms to businesses that want to protect information, but focus on other areas (for example, making money).

Answering the Question

No question, I am excited about the potential Trustmark holds (both short-term and long-term). I see this as a real answer to valid and necessary questions about how vendors protect information — in a way that builds trust and allows everyone to focus on whatever they do best while meeting fiduciary duties.

As I was working on this article, I took an unexpected meeting with a company facing the same challenge: how to assess their vendors from an information-protection perspective. The marketplace is ready for standard guidance and a program that builds confidence; we have an opportunity to make a difference!

Tomorrow, I’ll continue this article by explaining the key challenges I see facing Trustmark, as well as some insights on how to avoid it. In the meantime – how do you answer the question when asked about assessing vendors? How do we avoid creating the wheel? How would this benefit your business?

By Adam Dodge

Lately, there has been a flurry of activity in the land of security breach reports with organizations such as Debix, Verizon, the Identity Theft Resource Center and the Department of Justice all releasing reports looking at security breaches, breach notification laws and the state of information security in general. As someone who has been in the world of tracking and monitoring breaches for two years now through Educational Security Incidents, I am excited over the increased attention and information that is coming forth and the lessons that can be learned from these breaches. However, it is important to remember that are inherent limitations on the applicability of breach statistics and therefore we all must be cautious about reading too deeply and arriving at conclusions that the information in these reports do not support.

Before we go any further, yes I do develop a similar report each year and yes my report is subject to the same limitations as all of these other reports. My point here is not that all other reports are wrong while the ESI YiR is the shining beacon of truth. The point is that the information delivered in these reports is simply that, information. It is up to the reader to interpret this information in a meaningful way. The problem, then, stems from misinterpretation and this

What do I mean by “misinterpretation”? Well a common problem with the statistics provided in these reports (remember, I’m including my own report as well) is that the numbers are based the sample set and the ability to apply these numbers depends a great deal upon the size of the sample and how randomly the sample was chosen from the total population. Alright, that might not be a good enough answer so allow me to explain further.

The Verizon report has made a big splash in the security world and for good reason. Verizon did an amazing job with this report. If you haven’t read it, go do so now. Seriously, stop reading this and go read the report. It is that good.

However, the report is based around 500 forensic investigations performed by Verzion’s Business RISK team between 2004 and 2007. These 500+ breaches that Verizon has analyzed for this report were not randomly chosen from all breaches that occurred. Instead, the information was mined from the investigations stemming from breaches that were serious enough for a company to reach out and contract with Verizon for assistance. This is a potential point of bias for this survey.

Most companies are not going spend money on investigations for small breaches or those that are easily explainable. Therefore, it is very likely that breaches of data such as information left in public, information accidently placed on a public web site, etc. are underrepresented in the sample Verizon used. It is also likely that smaller companies and non-profit organizations are underrepresented as well since these entities lack the funding that larger, for-profit organizations have at their disposal.

What does this sample bias mean for the validity of the Verizon report? Nothing. Nothing at all. There is no problem with the sample bias of the Verizon report. The simple fact is that all of security breach reports (again, including the ESI YiR) suffer from the same problem. Unfortunately, there is no go way around this problem yet. Everyone that I talk to involved with tracking breaches has the same complaint: There is no centralized reporting of breaches in the United States and those states that do require breach reporting to a central authority have different reporting requirements, litmus tests and public access to breach information.

So I am suggesting that everyone stop reading these reports? Absolutely not. It is not just self-preservation that makes me say this, however much I enjoy my work with ESI. These reports are an excellent way for information security practitioners to track the movement of threats and discover what types of security threats similar organizations are facing. The point of all of these is that each and every one of us (including the media) need to make sure that we are interpreting the data of these reports properly before we remove our firewall because the 2007 ESI YiR said that employee mistakes outnumber hackers as the cause of a breach 2:1 or before we discontinue our security awareness and training programs because the Verizon reports says that 73% of all breaches came from external sources.

How can these reports be so different and yet both be correct? Simple, look to the samples used to compile them.

Welcome to the debut of the Pop Culture Security program - a monthly installment of the Security Catalyst Show. Please also welcome James Costello - the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges.

This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.

For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum - a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO). 

Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/

Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/

This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful - especially if you are interested in building a security awareness training program that works!

To participate in the monthly challenge:

• call  206-350-8346 and leave us a message with your challenge
• email popculturesecurity &at& securitycatalyst dot com

PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit - and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable - shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”

 

 Security Catalyst Show | Pop Culture Security: Play Now | Play in Popup | Download (122)

By Michael Starks

Anyone who has moved across the country, or even across town, knows how much work it can be. Everything has to be packed, utilities have to be transitioned and friends need to be bribed with pizza. But what happens when things don’t go exactly as planned?

It was 9:30 PM. We had been working non-stop for the past two days. We had to face the facts. We had too much stuff. It wasn’t all going to fit. We had run out of room on the truck.

Looking around, we still had living room furniture, a 19” TV, work benches and various other items. Although we were exhausted, stressed and hungry, we had to make some choices. Enter Incident Response mode.

My Wife, Mother and Daughter were scheduled to fly out the next day. We had this plan, see, and everything was supposed to have been packed by now. The ladies would fly out on Wednesday, and my father and I would start the 1,500 mile drive to our new home.

Barely able to put two thoughts together, we reasoned that we had the following choices:

1. Change the tickets so they could stay behind and help.
2. Let them fly out as expected and deal with the stuff ourselves.

After a call to the airlines, option number one wasn’t so appealing. Clearly, they wanted to send a message that changing flight times was going to be painful. That message was about $900. OK, Dad and I can handle this. Somehow. Yeah. We’ll get it done! What was that we were trying to decide, again? I could really use some dinner.

The next day, Dad and I loaded the last of what was physically possible in the truck. After pondering one of those miniaturizing ray guns, we decided that the next best thing to do would be to donate the rest to a local charity.

That turned out to not be necessary. We didn’t realize it, but we had one of those neighbors that truly epitomized the word, neighbor. She offered to take everything that was left over. She would donate some, keep some and deal with the rest. She undoubtedly saved us at least an additional day of effort and countless hours on the road trying to make up for lost time. Score one for good Karma.

After four long days, we finally started our journey. And as I drove, I couldn’t help but look back and reflect on the situation. It had so many parallels to information security; specifically disaster recovery, business continuity and incident response.

What could we have done better and how does this relate to security?

1. We didn’t take care of the important stuff first. I would have much preferred to take the couch over the several PC skeletons I will rebuild. Someday. Right. Are you prioritizing the important items in your information security program? What will be left behind when the budget gets reduced?

2. We failed to plan for contingencies. Although we did give a lot away before the move, clearly we underestimated how much we had. We didn’t ask the question, “What is our plan if we run out of room on the truck?” We didn’t ask, “How will a change in plans affect ticket prices?” We did some planning, but it wasn’t enough to cover the risks. Have you considered what will happen if
key people are gone? Have you thought about the effects of the firewall being mistakenly configured for ‘allow all.’

3. We underestimated the impact of physical fatigue. Being physically tired affects our ability to think clearly and make good decisions. We’re human beings and no matter how unaffected we think we’ll be when the going gets tough, there will clearly be some level of detriment. Does your plan take the human factor into account? In a disaster, are you expecting your administrators to work 24, or even 48 hours without sleep? In effect, are you expecting them to be non-human?

4. Finally, We failed to properly estimate the work load. None of us ever have enough time in the day. Does your security program have the people and other resources needed to accomplish your goals? If not, there are two things that you can do: Get more resources or see number one—take care of the important stuff first.

Large changes in life and in security are inevitable. But with proper planning, you’ll be in a better place to deal with them. Now, where was that hammer…

During [these] periods of relaxation after concentrated intellectual activity, the intuitive mind seems to take over and can produce the sudden clarifying insights which give so much joy and delight.
– Fritjof Capra, physicist

Again, I find myself packing the RV to return home. Again, I find myself calm, mentally focused and brimming full of ideas. I am convinced that the body and brain need time away in order to make sense of that which we experience. Seems that every time we are in the RV, I am afforded time to think, consider and analyze. As such, I’ll be sharing some of what I observed this weekend as it relates to how we practice information security and change the way people protect information.

In specific, I’ve been thinking about “compliance awareness” — the stuff most people do today in the name of awareness — and “true awareness” — the situations that shift thinking and lead to a behavior change.

In the meantime, I’ve started to look for some additional voices to share their ideas and insights; to act as catalysts to help us think differently about the way we act.

Today, I introduce to you Michael Starks. Michael is an Information Security Professional specializing in host-based security, IDS, log analysis and compliance. He believes in applying basic security principles to an ever-changing threat landscape, and is currently exploring the various ways in which human behavior affect the success of security programs. He is a founding member of the Rochester, NY chapter of ISSA and has served for both ISSA and OWASP. He currently holds the CISSP, GSNA and A+ certifications. In his spare time, Michael enjoys spending time with his wife and daughter, and listening to early twentieth-century blues.

Hopefully we can convince him to share with us on a regular basis!