The Security Catalyst

I’ve heard other authors exclaim that at the end of the writing process, it felt as if they were ready to give birth — and couldn’t wait for this labor of love to be done. Well, I’ve been the husband/father side of pregnancy, and it was smooth sailing for me. Now that I’m nearing the home stretch of this book, I’m starting to understand…

Into the Breach: Why Companies Fail to Protect Data and What We Need to Do About It has been under development long enough! I have distilled the problem and presented a careful and easy-to-follow solution that will help companies improve their top line, protect their bottom lines and manage people, risk and information more efficiently. I am writing a book for business leaders to understand the fundamentals of how to unmask our human problem and take simple steps to reduce the chaos.

I’m ready to get this out there - and to share what I have learned and help more companies. So… I have decided to pack up the RV (it’s cold here in NY) and head down to Charlotte, NC. Why Charlotte? Why not. Seriously, though, my best friend lives in Charlotte - and he and some other good friends have suggested that we consider moving our base of operations to the Carolinas. The more the tell me about the region, the more I’m inclined to agree, so I decided it would be a good time to take 10-12 days to head down and check it out, while wrapping up the book.

I could use your help
If you live or do business in Charlotte - I would love to speak with you, or even meet with you in the next two weeks. I’m seriously considering moving our business there — and I’d like to learn about the business climate, partnership opportunities (or companies looking for a partner), family environment and the like. If you have a friend in Charlotte, perhaps an introduction would be possible?

Do you want a preview of the book?
I’m going to be hip-deep in finishing up the book. If you live in Charlotte and want to get a free preview - let me know and we can catch up. I’ll bring what I’m up to, and you can help me work through any rough spots while I get the manuscript finished off. I look forward to meeting you and working through the elements. This goes for business, personal… whatever. In fact… if you want to schedule some time with me and your team, I can share some of the keynote and strategies for success with you. I’ve been testing the book for the last year, and I know this works. I’m happy to share.

When you will get the book
I plan to have the galley copies out by the end of the month to my review team. I plan to have the entire project finished by the end of January and then it’s off to the printer!

If you can’t wait (for business or personal reasons)
I will be making a sample chapter available in the next few weeks. It’s seriously top priority for me. At that time, I’ll be able to accept pre-orders and take requests for autographed copies, too.

At the same time — you can book me right now for a dynamic keynote to prepare your organization now. In fact, we’re lining some up for December so that people can get this information before the new year! I promise I’ll do what I can to get this information to you and into the hands of decision makers as soon as I can.

I also am offering a limited number of my Information Protection Program to companies that want to implement the suggestions in the book to reduce the risk of breach, while reducing the cost of compliance. If you’re serious about changing the way people protect information, I’d like to have a conversation with you about how my program can help.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Products & Services

“Without change, something sleeps inside us, and seldom awakens. The sleeper must awaken.”
-Frank Herbert

By now you’re getting a sense of what we are doing. With a new interpretation of our role in the information security community, a larger team, more consistent communications and new products and services, we are providing a comprehensive resource for individuals and organizations concerned about protecting data.

It is important that you understand that the change to The Security Catalyst is not cosmetic. While we have updated our marketing, our real investment has gone into developing toolkits, web-based services, new presentations, and bundles of services so that we can deliver what you need – whether you are technically inclined or not. Our new offerings includ• e:

• The Information Protection Toolkit (IPT)

• ‘Speaking About Security’ training sessions for security professionals

• The Privacy and Awareness Toolkit

• Keynote speeches and workshops designed to engage, empower and enable your teams

• Catalyst Sessions - dedicated and private support that blends coaching, consulting, and facilitation with deep industry experience.

We’ve been testing our solutions over the last few months, and I am now excited to offer them with confidence – to help you improve your practice of information protection. We’re putting the final touches on our website so we can share more details with you in the coming days.
Visit our website or contact me for more information.

If you enjoyed this post, make sure you subscribe to my RSS feed!

On my way home this evening, I drove through a driving thunder storm. Along the way, stopped at a red light, I saw a group of middle-school children dancing and laughing in the rain. It was a sharp contrast from the adults I saw a few blocks back scurrying away….

Sitting at the light, I wondered - would I dance in the rain, or would I scurry to get out of it? Thinking about the example I would set for my children, I realized:

I would dance in the rain; I will dance in the rain. You might call me crazy (if I wasn’t crazy, I would be insane - thanks Jimmy Buffett) - but absorbing and celebrating the moment is where passion is born. It’s where we can feel free, and we can be ourselves. I will appreciate and respect you for trying. Hopefully you’ll do the same for me; but if not, I’ll be confident that I am me…

During the rest of the drive, I realized it’s not much different for security. All-too-often, we’re so concerned with what people think, what they say, how we’re perceived that we focus all our energy of being someone or something else. We stopped living in the moment; we stopped having fun. We stopped “dancing in the rain.”

I feel like our industry is a bit tired right now. A lot of us feel frustrated and that perhaps the industry has lost it’s way. I’m an optimist - and I see a lot of opportunity. I dance in the rain, and I know that we’re able to make a difference. In the US, we’re heading into a long holiday weekend that marks the end of summer and the return to work, to projects and to our efforts. My wish for you this weekend is that you are able to take some time to refresh. Find your own way to dance in the rain (or sing in the shower).

Renew your passion for security. When you come back, I’ll be here with ideas and will share my research and experiences to support your organization, and to support you. We can dance in the rain together and change the way people protect information!

If you enjoyed this post, make sure you subscribe to my RSS feed!

Security has a bad name. Whenever I say I work in security, people get paranoid assuming that my job is to block whatever good work they are doing in the name of security. Plus, in many organizations, security is a one way street. Information goes in, but never comes out. There’s no information sharing because neither side wants to discluse their “secrets.” It’s time to change this negative connotation for security.

For my entire security career, I’ve been exploring ways to improve the image and effectiveness of security. Also throughout my professional career, I’ve been studying leadership. Recently it dawned on me (while reading Seth Godin’s The Dip) to put the two together. One of my favorite leadership books is The One Minute Manager by Ken Blanchard, Ph.D. and Spencer Johnson, MD. There is no reason why we can’t use the ideas in The One Minute Manager to improve our security practices.

1. Set Goals – What are you trying to protect? What is your security program trying to accomplish? You can’t protect everything, so you need to pick your battles. In my goals setting, I use the risk equation of risk=impact X probability (see Risky Business post). This helps me determine the lowest hanging fruit that has either the highest impact or is most likely to be affected by a security issue. Write and publish your goals. This lets others see what you’re up to. Also, take a minute every once in a while to read and re-read each goal to determine your progress.

2. Praise Good Security – Praise people immediately to their face (if possible) telling them and others how they improved security for themselves or your organization. Be specific and let them know how good you feel about what they did right and how it helps the organization. Encourage them to do more of the same. This is where we in security often fall short. We only see the bad, where security is lacking and are not catching people doing things right. That’s only half of the picture. This also helps put the overall security of the organization in perspective. In one of my first security jobs, my VP said, “Our security sucks.” I responded, “No sir, we have good security, in pockets. Our challenge is to make it consistent across the company.” By praising good behavior, we are encouraging more of it.

3. Explain opportunities for improvement – We all sometimes fall short of our expectations and goals and need to be reminded of them. In the book, this is referred to as the Reprimand. Security professionals and auditors often fail here and don’t do it right. We either don’t find the root cause, don’t address the right people, or don’t collaborate on solutions. The way to do it is: (a) make sure you have the right people who are responsible for the problem. Sometimes we misplace blame or don’t tell the real person responsible. (b) Tell them immediately, specifically where they fell short. (c) Brainstorm with them on ideas and suggestions for improvement. Don’t tell them how to do it, but collaborate on the opportunities for improvement. (d) Reaffirm how important they are to the security of the organization. It’s critical here to make sure that you are addressing the problem and not the person. Also, you should be working with the people to ensure the correct solution is in place.

Taking these three steps should increase the credibility of your security services and reduce the negative feelings. It will promote collaboration that provides buy-in from critical resources improving the security practices of your entire organization. Of course, I’ve only scratched the surface of The One Minute Manager. All security professionals should read the book and use its techniques to better manage your security program. Lastly, continue to use the SecurityCatalyst forums to share your ideas.

By working together, we all become stronger.

If you enjoyed this post, make sure you subscribe to my RSS feed!

According to many, user education is one of the best methods of ensuring adequate protection of your information assets.  It’s been eternally touted as one of the requirements of a viable information security program.  This article is not about that, though.  It’s about knowing your users/customers.  Yes, Mr. & Ms. Security Professional, your users are also your customers.  You are here to serve them; not vice-versa.

How well do you understand your users?  Are you aware of their needs, habits, and abilities?  Most security professionals understand the technology, but don’t have a clue about their user base.  All security professionals need user awareness training to ensure they understand their customers.

In the June 1, 2007 edition of CIO magazine, Publisher Gary Beach asks the question, “How social are you?” (http://www.cio.com/article/109302)  He references a new report by the Pew Research Center titled, “Typology of Information and Communication Technology Users” (found at http://www.pewinternet.org/pdfs/pip_ict_typology.pdf).  This report classifies Information and Communication Technology (ICT) Users.  Based on its findings, we in security can no longer assume that users are stupid.  From Mr. Beach’s column, “customers (users) are ‘wicked smart.’ They know what they want, they know how to get it, and they’re doing so by leveraging the poser of social networks to reach out to <others>.”

The report’s author, John Horrigan has classified ICT users in America into ten categories based on their ICT assets, actions, and attitudes.  The ten groups that emerge in the typology fit broadly into a “high end,” (31%) “medium users,” (20%) and “low-level adopters” (49%) framework. However, the groups within each broad category have their own particular characteristics, attitudes and usage patterns.

From the Report*,
  - 8% of Americans are deep users of the participatory Web and mobile applications;
  - Another 23% are heavy, pragmatic tech adopters – they use gadgets to keep up with social networks or be productive at work;
  - 10% rely on mobile devices for voice, texting, or entertainment;
  - 10% use information gadgets, but find it a hassle;
  - 49% of Americans only occasionally use modern gadgetry and many others bristle at electronic connectivity.

Do you know where your customers/users fit?  How about you?
You can take their on-line Internet Typology Test (http://www.pewinternet.org/quiz/) to see where you fit in the new typology of ICT users.  Once you know yourself, you can better understand your users/customers.

By understanding your users/customers, you can tailor you security program to fit their needs. The fear of the unknown is often the greatest fear amongst security professionals.  By having a little awareness training of your users, that fear will be lessened.

To paraphrase from Mr. Beach’s column, the big deal is this: As your firm continues to drive a growth-and-innovation agenda, your users and customers ultimately will determine the degree to which you succeed.  So CISOs need to ask themselves, “Is my infrastructure sufficiently robust to encourage and support the use of ICTs while protecting against the biggest and most prevalent risks brought on by these new technologies?”  CISOs should have an understanding and a vision of their users/customers to enable their business’ use of technology while protecting the critical assets.

What do you think?  Is the Pew Report accurate?  Respond either in the comments below on the Security Catalyst forums.

By helping each other, we all become stronger.

* Horrigan, John. A Typology of Information and Communication Technology Users. Pew Internet & American Life Project, May 6, 2007, http://www.pewinternet.org/PPF/r/213/report_display.asp, accessed on May 10.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Please confirm your participation by June 12th

You probably thought I decided to stay in Key West. But, in fact, over the last few weeks I have focused on bringing the Information Protect Assessment Toolkit (IPAT) from testing to reality.
It’s ready and I’m ready to help you protect your organization by taking important steps to gain control of your information and reduce the likelihood of a breach.

What is IPAT?
The Information Protection Assessment Toolkit is a process that helps you identify security issues and develop an information protection plan. It is the first step in protecting your organization from a breach. The launch program begins June 19th.

IPAT is unique in that it includes every member of your organization in the process of protecting information. Many of us already understand that we need to do this but struggle as to how. IPAT shows you how. Through the IPAT process you will more accurately identify key details about your information and clarify where it exists in your organization. It involves every person and prepares them to be more receptive to awareness training. The results are transformative. I’ll share a story with you next week.

Who is IPAT for?

IPAT can be scaled for any size organization. We initially designed IPAT for smaller organizations – the so-called “one man shops” - with lots of work, little budget and the need for a supported process that works. In development we realized that IPAT is flexible and scalable. We mentioned it to others and we are now in discussions to implement this approach in Fortune 50 organizations. We’ll be sharing more details next week. In the meantime, I’ll quickly explain a few details

The IPAT System
IPAT is a system - not a one-time event - that takes a multi-disciplinary approach to protecting information. It guides you through an assessment and planning process in five weeks and then supports your protection efforts for the entire year. It includes:

• a set-up session where we review the elements with your facilitator(s) - to make sure that IPAT is clearly matched to your needs
• a toolkit (templates, guides, presentations, audio and other support resources) designed for the dominant learning styles.
• four coaching sessions (3 seats). We encourage you to spread them out over the course of a year - but they are yours to use without restriction.
• Most importantly, the Security Salon! With the Salon, you receive monthly teleseminars, weekly “office hours” with text-based chatting, a repository of more information, resources and ways to improve how you assess and protect information.

Five weeks of Roll-out coaching
IPAT Roll-out Coaching is a series of 75 minute teleseminars delivered over five weeks to keep you on track with the IPAT program. This is normally an option with an additional cost. I’m including it for free for the June 19th program.

This is a proven program already in practice
We tested the individual pieces of the system over 18 months then rolled it all into a simple, but effective program. IPAT is now ready - and we’re rolling it out for you. Those who join us for our launch will receive the optional, Roll-out Coaching, free.

Investment
While hiring us to perform an information protection assessment can easily cost tens of thousands of dollars, we have designed IPAT so that you have the tools and guidance to do the assessment yourself with our support for $5000. This solution is affordable for organizations of all sizes.

This is a program, designed from the ground up, to get you the information you need, when you need it; it supports you when you need support; and lets you focus on the business of your organization.

The Benefits of Starting Now
The materials and process of IPAT are proven. I’m now looking for a few organizations that are ready to get serious about protecting information. I am ready to support you with the Information Protection Assessment Toolkit. As a thanks for helping me tweak the program before full implementation, I’m offering the Roll-out Coaching for free. Space is limited to the first 25 people - and we will begin on June 19th.

I’ll have more details available next week.

If you enjoyed this post, make sure you subscribe to my RSS feed!

When we launched the Security Catalyst Community, the hope was that by supporting one another, eventually we would find a project or some synergy that really makes a difference. As the community continues to grow publicly, we’ve found our first opportunity (and we’ll have more announcements in the coming weeks, too)!

During my last trip (sorta a pre-campaign warm-up), we stopped in Baltimore. I took the opportunity to catch up with Bill Sieglein, a good friend and fellow passionate professional. Bill created a group called the CSO Breakfast Club - and we talked about how to work together –> so expect to see more in the future. Meantime, if you’re available for one of these events, I’m confident it will be time well invested. You can learn more at the CSO Breakfast Club website: http://www.csobreakfastclub.com/

Bill also revealed to me that he’s working on a book titled Building and Maintaining an IT Security Program.

Book Description
Compliance is the hottest buzz word throughout the business world today and therefore ensuring the security of IT systems has become a prime focus for all companies conducting business in any electronic fashion. This book presents a set of practical guidelines and operating procedures that will clarify the relationship between information security management and compliance. Written by an expert with 25 years of IT security experience, this comprehensive guide will assist companies in assessing the risks inherent in conducting business, understanding which industry standards and practices are available to them, and in implementing successful and cost-effective information security programs.

This week, Bill called me, fully in the spirit of the community, and asked if would be possible to open the project to the community members. This allows us to blend the ideas and experiences of the members of our community in a book about how-to. We also then talked about providing some coaching and using this as a chance to bring some of the members together. I’m entirely for it - and if you want the opportunity to participate, you can learn more here: Opportunity to be a contributing author to my new book!

If you enjoyed this post, make sure you subscribe to my RSS feed!

Last night I took the opportunity to celebrate another (Key West) sunset. Ironically, it was the sunset I have been searching to capture on camera for a while - and yet it eluded my lens. Regardless, I drank it in, felt some stress slip away and then took in a “show.” The street performers of the Sunset Celebration in Key West are some of the most entertaining and practiced I have seen. When you visit and take the time to celebrate, do plan to stick around and be entertained.

Yesterday I had the opportunity to see the Great Rondini, an escape artist, dazzle and entertain the crowd. What I enjoyed (as much as the performance itself) is how he built the crowd, got the energy going and then put on a show - and in the end, he escaped his bonds. In addition to his humor and well-practiced quips, he stopped at least once, commanded our attention and issued a heartfelt thanks for supporting him. No, not the pitch for money… a true thank you for rewarding his efforts with our attention and applause. It was an honest emotional connection with the audience.

(I tried to insert a picture here, but my software bombed out - maybe soon!)

Beyond his excellent performance, I noticed that he held the attention of my children for the entire time (I also don’t recall any cell phone conversations or people using blackberries!). Better yet, when he was done, he came and thanked each child that came by - and rewarded them with a glow-stick style bracelet. It was genuine and classy.

On the walk back, I started thinking about how we could apply what I just experienced to our practice of security and how we protect information….

Rondini worked his timing, built interest, got people engaged and then put on a show. He waited until the sun went down (and people were less focused on finding the “right” spot. He waited patiently until the tight rope act was done, and then quietly stood on a chair and then blew a whistle. A bright orange get-your-attention whistle. SHOWTIME! He immediately engaged those standing right near him (including me) to form up at his line. He even said - look like you’re a crowd (to some laughs). He has a line for each of us as he invited us to participate. He threw out some practiced lines to get you to laugh… which is immediately disarming… and slowly, the crowd grew. When the crowd was right, he selected volunteers - got the crowd to support them and started the show.

It was clear that he was a professional. He’s practiced at his craft - and yet the show was different than I have seen in the past (so he’s still improving, changing and growing). Think about it for a second - how do you brief people? How do you explain what you do? How do you approach security?

Rondini smiled. He engaged. His passion for performing came through. As a security professional, this is an approach we need to follow. Rondini only gets paid when he puts on a good show. The larger the audience, the better the involvement and the stronger his performance, the more tips (and larger tips) he will be able to collect. He is motivated to improve and to perform. Most of us are lucky - the paycheck shows up no matter how well we do. Take a moment, though, and imagine ALL of your compensation based entirely on how you connected, engaged and entertained?

I don’t think it makes sense to tell people security is hard, complex heavy and something they _have_ to do. We can all learn something from the Sunset Celebration Performers - and bring a bit of entertainment to our efforts to make a difference. I am confident you will reap rewards from this approach.
Here is what I learned from Rondini - and how I think we can all benefit with our practice of security:

1. Choose the right time to perform (or deliver your message)
2. Engage your supporters and build them up (we need to find and build security champions)
3. Bring the audience into the performance and reward them (we need others to engage - but they have to be encouraged and rewarded)
4. Rehearse, rehearse, rehearse - so you seem practiced, smooth, confident - and really entertaining! (we *all* need more of this. period.)
5. Show sincere thanks and remain genuine and classy

Need help - shoot me an email: securitycatalyst@gmail.com. When this works, share your success with me!

If you enjoyed this post, make sure you subscribe to my RSS feed!

You should be familiar with the phrase, “Be Prepared.”  It’s been used by millions of Boy & Girl Scouts around the world since 1907 [1].  Boy and girl scouts are trained to be in a state of readiness in mind and body, so that you know the right thing to do at the right moment and are willing and able to do it. 

As security professionals, shouldn’t we also “Be Prepared?”  We need to have a “tool bag of knowledge” that we can open whenever an event occurs.  This is a set of resources, instructions or processes that you can use when responding to a security event. An organized and careful reaction to an incident can mean the difference between complete recovery and total disaster.

One of the “security triangles” is protection, detection, & reaction.  Our response to an incident is just as important as how we protect key assets and detect anomalies.  An incident doesn’t have to be related to computers; it can be almost any unexpected event.  Also, your response should be a process that uses available tools, techniques, and technologies to address the most common risks.

The following are basic, high-level steps that prepare you for incident response:

 1. Risk Identification.  No one person or organization can prepare for everything that may possibly happen.  It just doesn’t make sense.  We in the Midwest are not prepared for a tsunami, nor should we be.  But we are ready for tornados, especially this time of year.  You need to take the same approach in preparing your incident response.  Ask yourself, “What’s the worst that can happen?”  What threats are most likely to occur and have the greatest impact?  Identifying the greatest risks will help you prepare an incident response plan that covers the most likely events.

 2. Get support.  You cannot possibly know nor do everything.  You need to have a support group ready to help when the time comes.  The group you will need depends on the threats and the incidents identified in step 1. 

 3. Practice. The only way to get good at something is to just do it.  Realistically, this isn’t always possible when responding to an incident.  At the very least, you should conduct a paper exercise where you and your support team discuss the incident and your response. As you practice, document what you do, what works and what doesn’t work. 

Note: these steps are not computer specific.  They will work for any type of incident: technical or not; business or personal.   In researching this topic, I searched on “incident response steps.” It’s interesting is that the top results all have to do with Computer Security.  Incident response is not and should not be unique to computers.  The basic, high-level preparation steps are the same, whether you’re responding to a shooting or a computer intruder.

Louis Pasteur said, “Chance favors a prepared mind.”  Improve your chances of success by being prepared.  You can join a discussion of Incident Response on the Security Catalyst forums: http://community.securitycatalyst.com/forums/index.php/topic,366.0.html.  Let us know how you prepare.

By helping each other, we all become stronger.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Greetings from Ocean City, MD! We came down here this weekend to spend our Easter Weekend with some friends. Having an RV allows us the ability to travel as a family for work and for pleasure. Now that we’re back on the road, I remember why I love these trips so much (even when I am working): I welcome the opportunity to stop the world for a bit, get outside, relax and unwind with my family.

As I look back on the last few months, I am excited about the ground we have covered and the opportunities that come before us. Thank you for your continued support. As we prepare to take some next steps as a group, I wanted to share with you some plans – both to get your feedback and to ask for your help.

April is proving to be an interesting month: several of the efforts I (and some colleagues) have been working on for the last year are “ready.” In addition to launching some new offerings and solutions, we’re taking the family on an RV adventure in April/May and gearing up for a “Security Revival Tour” in 2007, followed by a “Campaign Across America to Protect Information” for 2008.

I’ll share more details about the tour(s) and such in the coming weeks. I could use your help in selecting cities, helping to spread the word and maybe even guiding some logistics. In return, those that help will discounted or free training, coaching and the opportunity to spend some time together.

I need some help - Short Term
In two weeks, we are leaving Albany, NY and heading to: Nashville, Atlanta, Key West and Baltimore. We are currently planning the following schedule:

•    Nashville (arrive Monday, April 23, leave Wednesday April 25 or Thursday April 26)
•    Atlanta (arrive Thursday April 26, Talladega April 27 – 29, back to ATL 4/30 – 5/2)
•    Key West (5/3 or maybe 5/4 to 5/8 or maybe 5/9)
•    Baltimore (5/10 – 5/18)

Atlanta is hopefully going to see the launch of the SEN/Salon and some evening gatherings. I have a long stretch in Baltimore and could really use some help connecting and reconnecting with the various groups I have worked with there.

In each city, we’d like to offer the following programs:
1.    Are you Making a Living, or a Life? (morning) combined with Career Compass Coaching (afternoon)
2.    Speaking About Security (public, private or semi-private)

Where feasible, I’m happy to offer some professional keynotes to the organizations that are in a position to support my efforts (or otherwise are good groups and would help you or make a difference).

SCC members can take 10% off or select a BONUS coaching session. In addition, registered participants in each location are eligible to win:
-    coaching session (value: $250)
-    presentation makeover (value: $500)

If you can help, please drop me a note and I’ll send you more information on the different programs, etc. We are working to finalize our marketing plan this week, and then spending Q2 working to get all of our marketing and branding in place. We’re all close!!

Thank you for your help and continued support.

Programs
Speaking About Security
Are You Making a Living, or a Life?
Career Compass Coaching

Available Keynotes
Transform Your Awareness Program
Setting Your Career Compass
Into the Breach
Speaking About Security
Do More with Less and Have Less Stress!

If you enjoyed this post, make sure you subscribe to my RSS feed!