Identity Management in 13 Easy Steps
by Ioana Justus
If you were asked to throw a few million dollars out the window, would you do it?
If yes, let me know where and when – I’ll happily wait outside with my catcher’s mitt. More likely, the quick answer to this question is a resounding “NO”. Few circumstances would lead someone to literally throw millions of dollars out the window, down the drain, etc. Not a million dollars, not in a million years.
What about companies that, effectively, waste millions of dollars trying to implement identity management?
The sad reality is that many organizations trying to implement identity management do just that – waste big money – on the wrong technology, or even on the right technology that sits idle because it can’t be used as designed. Worse, some organizations look to even more technology to “fix the shortcomings” of their selected product. The end result is the identity management version of Frankenstein’s monster.
If you peruse the latest identity management articles from your favorite research company, you’ll find the same discussions over and over: How do we justify the cost? Why do so many companies stop at “single sign-on”? Why do implementations take so long? Why do implementations get halted mid-effort? What’s the true benefit of identity management? What’s the ROI? You’ll also find the same tired answers – whether in printed form, or at one of the many IAM conferences across the country: IAM saves costs at the help desk. IAM can help with audit. IAM can reduce headcount in your access services department. Companies bite off more than they can chew, ROI takes too long, so they give up.
But what does it all mean?
Are we really doomed to these behemoth infrastructures that sit largely un-used, while we pay off consulting and software bills that often run into the millions (if not tens of millions)?
No, we’re not.
IAM is not a lost cause. It can lead to lower costs, easier audit processes, and a demonstrated postive return on investment (ROI). But it takes time – and discipline. As with many aspects of security, identity management is not about technology – it’s about people and process. The technologies are out there, and getting ever-more mature. But, IAM is NOT a Mac or an iPhone – you don’t just turn it on and it magically works. There is a lot of configuration and even custom development that needs to be done after you install your product suite of choice. Even before that, there is a TON of data cleanup, data modeling, and process design that needs to take place, and that is at the heart of this series:
Identity Management in 13 Easy Steps
Of course, the series title is a bit tongue-in-cheek. There’s nothing particularly easy about identity management. Then again, it’s not rocket science, either. It just takes a little thought and a lot of tedious effort – and did I mention discipline? The focus of this series is all on process and data. In fact, product selection is saved until the very last article. That’s right – if you can keep your instant-gratification urges at bay, I recommend that you don’t even bother buying anything until you’re ready to use it. Why spend all that money on a fancy technology if it’s going to sit there, idle, while you beat your head against the wall trying to clean up the data and processes that it needs to function?
An identity management implementation will only be as good as the data and processes feeding it, and that’s the problem many companies face today – most organizations buy a product and figure out after the fact that they have a ton of work to do to make it function. As a result, there is such a lag between the time of purchase and the time of ROI, most management teams lose patience and halt the effort. If you pave the way to implementation by first cleaning house, when you implement the technology its benefit will be seen quickly, which will encourage management to keep it going and try more.
There’s another critical aspect to this approach: gaining the needed experience to properly document requirements. Identity management is extremely complex. No one can just walk in and “get it” in one sitting. Even if the high-level concepts seem obvious, you have to live with the dirty details for a while to really understand the needs of your particular situation. The better that understanding, the better the requirements. The better the requirements, the better the product selection. Choose the right product, and you avoid tossing millions out the window.
Are you ready for this journey? If so, let’s get started. Here is the series I have planned – one article per month. This may not seem like much, but unless your implementation will have a very small user base, it will take longer than a month to execute most of these steps anyway. Of course, the series may change along the way – I’m already concerned about the volume of information I’m trying to fit into some of the articles. I may find as we go that a few of these topics will require multi-part articles. We’ll deal with that when it arises.
For now, here’s the intended schedule:
December 2009: Identity Management 101 – an overview of the different components of an IAM suite, to make sure we’re all on the same page and speaking the same language.
January 2010: Identifying Systems Integrations – not all systems will integrate (directly or indirectly) with IAM. Determine which ones will feed the priority list for the data cleanups and process work.
February 2010: Data Cleanup Part 1 – before your identity management system can work, it needs to be populated with all userIDs, and those IDs have to be clean. The first cleanup is focused on the primary IDs such as AD/LDAP and other key systems.
March 2010: Data Cleanup Part 2 – a key benefit of identity management is the ability to link userIDs in multiple formats from a variety of systems to the user’s primary record. The second cleanup focuses on identifying which IDs belong to which users in preparation for proper linking.
April 2010: Preparing for Password Self-Service – password self-service is a key cost savings of IAM, but it’s harder than you might think. This article will help you prepare your policies and your users for the technology to come.
May 2010: HR as a Source of Record – the HR system is a primary source of record for employees. It can also be one of the primary sources of errors and limitations for identity management. This article will explain the issues that most companies experience when interfacing with HR technologies (and departments).
June 2010: Role- and Rule-Basing – in order for auto-provisioning and -deprovisioning to work, the roles and rules need to be defined. This article will teach you how to avoid turning this effort into a rat’s nest.
July 2010: Role Hierarchies – workflows cannot be enabled without proper approval processes. But approvers aren’t always line managers. This article describes the various role hierarchies that should be established, and the synergies that can be achieved between identity management and other sources of record (e.g., financial systems).
August 2010: Workflows – workflows are the key to automating many processes. This article discusses the considerations in setting up workflows to ensure that they function effectively.
September 2010: Termination and Transfer Gotchas – terminations and transfers are key control activities that are of great interest to auditors. Getting this right in identity management will save everyone a lot of work. Getting it wrong can be disastrous. Learn the pitfalls in this article.
October 2010: Password Self-Service – whereas the April article deals with the foundational aspects of password self-service, this article deals more with the implementation aspects: how to select challenge questions that make sense, exposing PSS outside of the corporate network, etc.
November 2010: Effective Business Cases – now that your house is in order and you have almost a year’s experience with your organization’s circumstances, it’s time to build a business case to buy a product. This article explores a number of value-added functions of identity management that will intrigue your management and encourage them to allocate budget.
December 2010: Requirements and Product Selection – you’ve cleaned your data, defined your processes, and secured a budget. It’s finally time to pick a product. This article will help you document and prioritize detailed requirements based on a year’s experience in the trenches, so that you can make the best product decision possible.
Continue Playing
by Jeff Kirsch
In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”
During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.
So how does chess fit into my “plan ahead” strategy?
If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self. Those who properly anticipate the other player position themselves for maximum advantage.
The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game. I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.
Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.
Firefox Patch Tuesday
by Carl Anctil
Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.
Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.
If we look back and remember how networking has evolved over the years, we will notice a pattern. Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.
When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.
What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.
We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.
Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).
Securing the Toughest Times
by Ron Woerner
Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks. Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff. One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources. This is especially hard when you know those affected. However it’s critical that this tough job be done.
The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure. The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage. Luckily, the Fannie Mae sys admin found the malicious script.
You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs. [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]
Before the announcement
Just as in any project (and this is a project), planning and coordination are key. Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process. Delays increase risk to the organization. While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management. Security needs to know who is affected in order to know what needs to be protected. Security can also help properly protect the “list” prior to the official announcement.
Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs. On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive. Security officers should be trained and ready to handle potential conflicts and workplace violence.
Information security personnel should identify single points of (security) failure and high risk areas. This includes administrators with expanded ability, authority or access. Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs. Management should address these critical points well before the announcement to prevent any unexpected denials of service.
Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place. This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences. (No one likes to find out that their position is eliminated by having their network or badge access disabled.) Also, this cannot occur too long afterward, for obvious security reasons. Ensuring the correct timing requires pre-planning.
As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts. This could be before the actual lay-offs. Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.” Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others. This could occur on the network or off. It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.
During the announcement
With your planning complete, it is now time to enact and follow those processes. As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access. The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN). The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.
Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available. This is to maintain contact with clients or customers. Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access. It needs to be reassigned to the responsible manager or his/her delegate. Allowing permanent access is not a good idea. There should be a set timeframe for this access to remain active before it is disabled.
Also, consider any shared accounts used by the separating employees. Do they know the UNIX root or Windows administrator password? Whether it’s that or any other password for a service account, make sure the password is changed ASAP.
Physical security personnel need to be watching and ready in case the affected people become upset. Normally, you don’t need a physical security presence to escort them. That can be accomplished by the manager and/or HR representative. However, Security should be ready in case things turn ugly. Additionally, they should be watching what property is leaving.
Part of your process should include the retrieval of any assets used by or assigned to the separating employee. This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents. When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization. Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.
Lastly, while the separations occur, continue to monitor online access and activities. You never know the mindset or attitude of those who depart. The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites). Your IDS/IPS should be watching those external network assets and you should be ready to take action.
After the separations
While the major threat may have passed when the laid-off employees have left, it is not completely gone. There are specific post-separation activities that need to occur to ensure risks stay low.
One of the most critical activities is the inspection of online and paper files left behind by the employee. Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed. This can be time consuming and tedious, but it can’t be ignored. The benefit is the freeing of storage space.
The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business. This person also needs to determine the retention period for any material that needs to be kept. This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.
Another post-separation activity is inspecting online files for potentially malicious content. This is especially important for any systems administrators who were let go. There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind. Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs. Failure to take this step could be devastating for the firm.
Lastly, use this time to document what went right during the process and where you have room for improvement. Take time to learn from the experience and enhance the process.
Conclusion
Staff reductions are a part of corporate life. As painful as they are, they are often critical to keep the organization functioning at full capacity. Security needs to be an active participant in the lay-off process to ensure the risks are kept low. The removal of access is only one of the many areas requiring the attention of Security. They also need to be actively monitoring both the physical and on-line activities of the separating associates. This isn’t to be intrusive, but to ensure the continual protection of the organization.
Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring. The tips in this article will aid you in the development of your security model so you are ready when the time comes.
Checklist of Security Items to Consider with Lay-Offs
Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property
During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance
After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements
Playing games
by Jeff Kirsch
Recently, my son told me a story about how he played chess with a friend at school. In his story, he said his friend executed a certain move; my son then asked me if I had ever tried that move. I was a bit confused; I’ve played chess on and off for at least 20 years, but I’ve never heard of this play. My son asked if we could play, and more importantly, if I could teach him. Looking at the clock, I thought about how I needed to get his siblings into bed, and that he needed to read a book for school.
He promised to read his book while I put his siblings to bed. After the other kids were in bed, I got him from his room (where he had read a chapter of his book), and we headed downstairs for his lesson.
I explained the chess pieces and how they moved; he remembered this from the last time we played. We began the game and I watched him bring his plan to fruition. I didn’t start with very much instruction, because I kne
w that the best instruction comes when you are “deep in the weeds”, so to speak. I took a few of his pieces, and the teaching began.
For each of his moves I helped him see what my next moves could be and how that would affect what he should do. With each move, he needed less and less instruction, but his questions became more complex. Of course, like most novice chess players, he still needed help remembering how the pieces moved (especially the knight). Looking at the clock, I realized it was just a few minutes till his bedtime, so I finally made an exchange of pieces I had put off for most of the ga
me. A few moves later he was in checkmate. He looked at me with a huge smile on his face and gave me a big hug. “That was fun, Daddy,” he said as I squeezed him tight. “I can’t wait to play again.” That is when two thoughts struck me, which I shared with him, and which I’ll share with you now.
In losing, you win
We hear all the time that most successful people failed, sometimes more than once, before
being successful. Even after those people “made it”, they still face bumps in the road. What came out of my mouth first to my son was, “In losing, you win.” I went on to explain that you have to lose a lot of games of chess in order to learn how to play the game. This came out almost automatically, but then I started to reflect on what I had said. I realized that I wasn’t just talking about the game, I was talking about life and all the challenges we face.
In information security it is easy to become overwhelmed. We always feel like we are three steps behind. We put together teams, we focus on security and secure practices, and try to funnel everything down to a few points where we can protect our vulnerabilities, only to find that someone left the back door open. To add insult to injury, we get raked over the coals because the one thing we forgot compromised everything we were trying to protect. However, until the day you forget to lock one door, you have no real concept of the consequences that await when you do fail. In that moment of failure we have the ability to learn the most.
A plan is good, but plan flexibly
My son went into the game thinking there was a defense he could set up in the beginning that would win the game. What my son didn’t take into account was that I would have a turn, and that I could attack his defense – thus also keeping him from the offense he had planned. He immediately understood his mistake and explained to me why he should have paid attention to what I was doing. I was again hit with the realization that the lessons from this game were more than just lessons about a game. If we only plan to defend our systems from attack, we fail to see the most critical vulnerability and fail to account for a possible offense.
Flexibility is critical not just in information security, but in all aspects of our personal and professional lives. People who plan ahead certainly can start out of the gate faster, but when they get a few miles down the road and their tire goes flat, how do they sustain momentum? If you can adjust your strategy not only to account for defense, but also to incorporate an offense, you double your chances for success. In the end, you even the playing field by using your strengths and understanding your opponents’ weaknesses.
In a moment of just playing a game with my son, I re-awakened the magic of chess and learned some valuable lessons. There are plenty of people who make fun of the game and those who play it, but there are just as many (if not more) who play it and get it. When you realize that it is not simply a game, but that it also has many lessons to impart, you find that “losing” really isn’t losing. But just as in chess, you’ll encounter people who don’t get what you do or why it is important. Instead of discounting them, find a away to convey what it is and why they should care. You aren’t going to convince everyone and it won’t be easy, but giving up before you start says a lot about your character and reflects the quality of your work.
Embracing Manjoo’s Madness
by Dennis Kuntz
There was a little bit of a buzz recently regarding an article on Slate called, “Unchain the Office Computers! Why corporate IT should let us browse any way we want”. It’s basically a litany of complaints about how the IT department, “that class of interoffice Brahmans,” decides “ridiculously and capriciously, how people should work”. Very clearly it wasn’t going to win a bunch of fans from the Security Twits lurking around on Twitter’s infosec community.
The author’s rants run the gamut from legitimate beefs to notions that would make the most incompetent infosec employee cough up a hairball. He also seems to be completely unaware of the myriad legal, HR, and compliance bogeymen that serve as drivers of so many security policy restrictions. All of that coupled that with what seems to be a disrespect (or at the very least a disregard) for the skills, responsibilities, and intentions of your friendly IT worker would certainly make him a difficult customer.Who wants to deal with that?
A lot of the reactions to the author’s opinion were expected and understandable. If I recall correctly, “clueless” and “dangerous” were at least two of the words used to describe it. I don’t necessarily disagree with this either. The point of this post is more about what comes next: Do we, as those “interoffice Brahmans” simply thumb our noses at a very rash and simplistic view of the whys and hows of security-and-policy-minded restrictions, and tell the author to get the USB key that he found in the parking lot out of his PC and get back to work so that we can get back to saving the world from the l33t h4×0rs whilst doing the Dew? While not everyone would take that tack, let me suggest a different approach anyway.
The author, Farhad Manjoo, represents reality. He’s a real person who uses real technology in the real world. And he’s frustrated. He also represents a pretty wide view. In a Cisco-commissioned study on leakage prevention (get the papers here, and a decent summary here), it was discovered that:
“The majority of employees in eight of the 10 countries surveyed indicated that they believed their company’s security policy was unfair or impeded their ability to do their job. Employees with more access to collaborative Web 2.0 applications and social networking sites, video and mobile devices, expressed that they increasingly used these technologies in the workplace but were frustrated with rigid or outdated IT security policies that limited their use. “
With that, we need to accept that he and people like him are our customers. Rather than slough off Mr. Manjoo’s opinion as just being one of the uneducated masses, I contend that it’s our job to listen to his opinion and address it appropriately:
- If the reasons for a particular policy are draconian or reactionary, they should at least be reviewed, if not changed/updated or eliminated.
- If the reasons are justified (“justified” here does not mean “because we, the Brahmans, said so”; it means a very real, pragmatic justification for which there is not a reasonable alternative in order to protect the data/assets), then they need at the very least to be explained. Education and continued relationship- and awareness-building would be even better.
- If the policies really cause them to not be able to do their jobs (which does indeed happen), our job – and one of the aspects of it that makes what we do so cool, challenging, and fun – is to think creatively of how to allow them to do their jobs while keeping the data/assets safe.
I say let’s bump things up a notch: Make it a point to seek our your own personal Mr. Manjoos, embrace them, and convert them. Difficult customers, once converted, can become some of your greatest supporters. They might even spring for the Dew.
Into the Breach – Audio Series – Chapter 1 (Breach: A Human Problem)
Episode 2: Into the Breach: Chapter 1 (Breach: A Human Problem)
Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in this episode (Chapter 1)
Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.
A personal invitation to go deeper Into the Breach with Michael Santarcangelo
In two weeks, join Michael Santarcangelo for an insider’s perspective and live conversation to journey deeper into the chapter. During the conversation, hosted by EMC, Michael will:
- Reveal the ideas and concepts that may have been pared from the chapter you just listened to
- Expand upon or update the elements in the chapter you just listened to
- Answer questions in a candid and direct style – focused on delivering insights that lead to results
Did you miss the in-depth discussion with Michael about the Introduction? If so, go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded session and get reminded to join in for the August session.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV
Podcast: Play in new window | Download (8.4MB)
Into the Breach is in the home stretch; I’m headed to Charlotte to finish it up
I’ve heard other authors exclaim that at the end of the writing process, it felt as if they were ready to give birth — and couldn’t wait for this labor of love to be done. Well, I’ve been the husband/father side of pregnancy, and it was smooth sailing for me. Now that I’m nearing the home stretch of this book, I’m starting to understand…
Into the Breach: Why Companies Fail to Protect Data and What We Need to Do About It has been under development long enough! I have distilled the problem and presented a careful and easy-to-follow solution that will help companies improve their top line, protect their bottom lines and manage people, risk and information more efficiently. I am writing a book for business leaders to understand the fundamentals of how to unmask our human problem and take simple steps to reduce the chaos.
I’m ready to get this out there – and to share what I have learned and help more companies. So… I have decided to pack up the RV (it’s cold here in NY) and head down to Charlotte, NC. Why Charlotte? Why not. Seriously, though, my best friend lives in Charlotte – and he and some other good friends have suggested that we consider moving our base of operations to the Carolinas. The more the tell me about the region, the more I’m inclined to agree, so I decided it would be a good time to take 10-12 days to head down and check it out, while wrapping up the book.
I could use your help
If you live or do business in Charlotte – I would love to speak with you, or even meet with you in the next two weeks. I’m seriously considering moving our business there — and I’d like to learn about the business climate, partnership opportunities (or companies looking for a partner), family environment and the like. If you have a friend in Charlotte, perhaps an introduction would be possible?
Do you want a preview of the book?
I’m going to be hip-deep in finishing up the book. If you live in Charlotte and want to get a free preview – let me know and we can catch up. I’ll bring what I’m up to, and you can help me work through any rough spots while I get the manuscript finished off. I look forward to meeting you and working through the elements. This goes for business, personal… whatever. In fact… if you want to schedule some time with me and your team, I can share some of the keynote and strategies for success with you. I’ve been testing the book for the last year, and I know this works. I’m happy to share.
When you will get the book
I plan to have the galley copies out by the end of the month to my review team. I plan to have the entire project finished by the end of January and then it’s off to the printer!
If you can’t wait (for business or personal reasons)
I will be making a sample chapter available in the next few weeks. It’s seriously top priority for me. At that time, I’ll be able to accept pre-orders and take requests for autographed copies, too.
At the same time — you can book me right now for a dynamic keynote to prepare your organization now. In fact, we’re lining some up for December so that people can get this information before the new year! I promise I’ll do what I can to get this information to you and into the hands of decision makers as soon as I can.
I also am offering a limited number of my Information Protection Program to companies that want to implement the suggestions in the book to reduce the risk of breach, while reducing the cost of compliance. If you’re serious about changing the way people protect information, I’d like to have a conversation with you about how my program can help.
Have you considered engaging a professional speaker to turbo charge your efforts?
As we near the end of the year, I’m advising friends and clients on successful strategies to address their current challenges around improving their security programs, how to reduce the cost of compliance, and engage their people in security awareness programs that get results!
Several of my clients have started to book my keynotes and training programs using end of year budget; they view this as the perfect way to kick-start their programs next year. Obviously, I’m biased – but I happen to think this is a good idea.
Engaging me now for a keynote or day-long program brings you my experience, passion, energy and allows you to benefit from the research and effort that has gone into writing the book (http://www.intothebreach.com/into_the_breach.htm).
If you’re ready to engage your people, I’m ready to help you. You can call me at 800.996.8351 and ask for Ffion (FEE-ON). She’ll be more than happy to help you and arrange a time when we can speak.
What do people have to say about my programs?
I take great pride in being able to bring everything I have to each and every engagement. If you’ve worked with me in the past, you’ve experienced my passion and contagious energy. You can read some really appreciated endorsements of my efforts on my profile at http://www.linkedin.com/in/securitycatalyst
“Michael is a rarity in today’s world. He is a fountain of personal energy and knowledge that shows no sign of drying out. Even better than that, his sincere desire is to help others understand information protection concepts for their own personal betterment and for the betterment of the security community as a whole. Michael’s communication style is unabashedly straight-forward – cutting through the mess, and getting right to the point. This makes him a great presenter, coach, or sounding board. I truly appreciate Michael’s contribution to the security community and am grateful he is out there actually *doing* what so many of us talk about, but never seem to actually attempt.”
Mr. Carpenter
Information Security Manager
What are the most requested topics I speak on?
As a professional speaker and member of the National Speaker’s Association, I work with you to customize a program that meets the precise needs of your audience and delivers the results you need. I bring over a decade of in-the-trenches experience, combined with the breadth and depth I demonstrated as a top CISSP instructor and deliver it in an engaging, entertaining and simple to understand way.
Each of these programs can be tailored for your audience. Call me to explore how I can help you solve your information protection challenges or for program summaries.
Mind the Gap
Journey Into the breach, protect Information and reduce the cost of complianceSpeak with impact!
Communicate security so they really get itAwareness with Attitude
Developing the mindset for protecting informationPunching Above Your Weight
Get executives to care without peddling fearStaying Safe (Without Wires)
Protect your information, your identity and your children
Training workshops
I have developed these training programs based on my experience in providing opportunities to engage, understand and practice. If you are looking for clear results from a training session, I invite you to consider:
Results-driven Information Protection Through Leadership(one-day program)
Learn the process-driven approach to improved security, lower costs and higher valueSpeaking About Security (two-day program)
Communicate effectively and engage your audience in information protectionEngage. Empower. Enable. (one-day program)
Develop effective awareness programs that connect with your colleagues
See me in action (Video Demonstration)
Actually, the video I currently have is pre-triathlon training; while it shows my passion and energy, it’s time for an update. This means an opportunity for you. I’ve already reached out to some clients about a barter deal in return for high-quality video capture.
If you have the ability to record my keynote or training session this year, then we can make a deal!
What does it mean to be a professional speaker?
First and foremost, it means that I have met the requirements to join the National Speaker’s Association as a professional member, and I abide by their code of conduct and ethics. Being a member of NSA is not required to be a professional speaker, of course, but it does demonstrate I have achieved a level of success in this pursuit.
As a member of the National Speakers Association, I have the privilege to work with and learn from some of the best and most gifted communicators in the world. All of that learning, practice, feedback and insight goes back into the efforts I bring to you.
As a professional speaker, I actively study the elements of successful communication. I focus on how information becomes understanding – and specifically on how to guide understanding into action. This is a true passion of mine, and I have developed the Security Salon as a direct result. I’ll share more about the salon with you in the coming months.
When you engage me to work with your team or audience, I leverage my skills and experiences in a way that delivers you a program focused on your success.
Each and every engagement – speaking or training – receives extensive preparation and planning. Each message is tailored to your group and crafted to connect with the audience. Depending on the audience, I prepare customized materials and handouts or structure hands-on opportunities to work with the information and experience I am sharing.
When you hire me as a speaker – you get my insights, my passion, my experience and I always bring my contagious energy and can-do spirit.
Change is Good: Part III
Products & Services
“Without change, something sleeps inside us, and seldom awakens. The sleeper must awaken.”
-Frank Herbert
By now you’re getting a sense of what we are doing. With a new interpretation of our role in the information security community, a larger team, more consistent communications and new products and services, we are providing a comprehensive resource for individuals and organizations concerned about protecting data.
It is important that you understand that the change to The Security Catalyst is not cosmetic. While we have updated our marketing, our real investment has gone into developing toolkits, web-based services, new presentations, and bundles of services so that we can deliver what you need – whether you are technically inclined or not. Our new offerings includ• e:
- The Information Protection Toolkit (IPT)
- ‘Speaking About Security’ training sessions for security professionals
- The Privacy and Awareness Toolkit
- Keynote speeches and workshops designed to engage, empower and enable your teams
- Catalyst Sessions – dedicated and private support that blends coaching, consulting, and facilitation with deep industry experience.
We’ve been testing our solutions over the last few months, and I am now excited to offer them with confidence – to help you improve your practice of information protection. We’re putting the final touches on our website so we can share more details with you in the coming days.
Visit our website or contact me for more information.
Engage with Michael
-
Journey Into the Breach
