Into the Breach – Audio Series – Chapter 5 (The Strategy to Protect Information)
Into the Breach
Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy.
This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).
What you’ll find in episode 6, Into the Breach: Chapter 5 (The Strategy to Protect Information)
Chapter 5 is the introduction to Part II of Into the Breach — where the focus shifts to looking at what needs to be done. I outline a powerful, yet simple, approach dubbed “The Strategy to Protect Information.”
Key is the focus on information, not data, and the three steps that any organization must follow in order to be effective. The balance of Part II explains how – but just learning and understanding the three part strategy is transformative.
After listening to this chapter, you will know the strategy and be able to apply it to your current challenge — small and tactical or larger and organizational.
The timing works well as 2010 initiatives are considered – and questions are always welcomed at getresults@securitycatalyst.com, by engaging with me on twitter (http://twitter.com/catalyst)
Unleash the full power in time for the new year: Announcing the Team Inspiration Bundle
Imagine the power of presenting a hand-signed, hard cover version of Into the Breach: Protect Your Business by Managing People, Information and Risk to a member of your team, an executive or even a partner or client to give them the very keys necessary to refresh, re-energize and refocus for an exciting year ahead.
As we head into 2010, Michael Santarcangelo and the entire The Security Catalyst team is focused on celebrating the good of people and amplifying the positive. Into the Breach reveals the insights and sets forth the path for any person or organization to follow to get results that turn insiders into allies who reduce business risk.
This is a gift that opens the doors to more and unlocks the ability to harness the power of people. More, this book can be accompanied with an eBook or audio book version – and the resources of The Security Catalyst Online to set the stage for a transformative year ahead.
CLICK HERE to order the special 10-book or 20-book package at a deep discount by December 24, 2009.
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst Online Blog and Podcast to get more insights
3. Hire Michael to deliver guaranteed solutions for your organization that turn insiders into allies who reduce business risk
Not enough? Need more?
Go deeper Into the Breach with Michael Santarcangelo in December, courtesy of EMC
In December, EMC will release the next recording of Michael Santarcangelo — behind the scenes — to journey deeper into the ideas behind the Strategy to Protect Information. Go to www.configuresoft.com/securitycatalyst today to register now and listen to the recorded sessions from before and get reminded to download the December session.
Podcast: Play in new window | Download (12.8MB)
Into the Breach – Audio Series – The Introduction
Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the last Tuesday of each month (there are 13 chapters total).
What you’ll find in this segment
The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded.
A Private Invitation to Engage with Michael Santarcangelo
Build on your experience. Sign-up for exclusive invitation-only conversations [click on the link to sign up now for your invitation] with Michael Santarcangelo, hosted by EMC. Join Michael for a live conversation two weeks after each chapter is released where he will:
- Reveal the ideas and concepts that got cut from each chapter
- Expand upon or update the elements in the chapter you just listened to
- Answer questions in a candid and direct style – focused on delivering insights that lead to results
The discussion centered around the concepts revealed in the Introduction is scheduled for Thursday, July 16th. Visit http://www.configuresoft.com/securitycatalyst.aspx for more details and to get your invite!
You want more, so after listening…
After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by
- Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
- Subscribing to The Security Catalyst podcast & blog to get more insights
- Checking out the upcoming schedule to meet Michael (and his family) “onTour” – as they travel the country by RV
Podcast: Play in new window | Download (9.2MB)
netcast for this week: I was the (surprise) guest host on the Netsec Podcast
One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation – especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face.
So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey – no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas – and then boom – we recorded.
I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed – my mind was still engaged. I hope you have a similar experience when listening!
Find the show notes here: http://netsecpodcast.com/?p=48
And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3
(PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows – you may want to unsubscribe and resubscribe.)
Podcast: Play in new window | Download (58.0MB)
Security Catalyst Show – Pop Culture Security (debut): Night at the Museum
Welcome to the debut of the Pop Culture Security program – a monthly installment of the Security Catalyst Show. Please also welcome James Costello – the man with the idea for this program and my cohost on this effort. This program explores and explains how to use pop culture to communicate security concepts to those around you. We explain by doing, and respond to your challenges.
This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.
For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum – a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO).
Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/
Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/
This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful – especially if you are interested in building a security awareness training program that works!
To participate in the monthly challenge:
- call 206-350-8346 and leave us a message with your challenge
- email popculturesecurity &at& securitycatalyst dot com
PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit – and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable – shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”
TSC May 21 2008 | The Right Way to Address the Debian OpenSSL Vulnerability
It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.
Plenty of specific details and analysis can be found in different places, including:
http://wiki.debian.org/SSLkeys
http://www.us-cert.gov/cas/techalerts/TA08-137A.html
http://www.kb.cert.org/vuls/id/925211
http://secunia.com/advisories/30220/
For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.
Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.
When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.
During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.
It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!
In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/
Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.
Introduction a brave new program – Driving the Digital Revolution
I am excited to introduce to you a new program that I host and produce for Cornell University called “Driving the Digital Revolution.”
Driving the Digital Revolution is a simple, but powerful, way to consider the changes taking place around us every day. The digital revolution has led cultures from poverty, literally changed the face of global business, local business and even impacted on the family structure. Without question, the digital revolution both counts on and plays an active role in shaping how people protect information.
Cornell takes its role in driving the digital revolution seriously. In both education and research, emphasis is placed not only on the field of study, but in how that subject is being transformed by advances in computing and information resources. It realizes that as ideas and technologies are advanced, we have an obligation to not only consider the consequences, but to study and anticipate the unintended consequences.
I am sharing this with you for two reasons:
(1) I am passionate about this series and the opportunity to work with other experts to dig deeper and uncover important concepts that are driving the digital revolution; their words have a lasting impact on me, and I believe they will on you, too.
(2) We are at a place in our industry when we need change. We need to grab on to a vision of hope and drive change. Studying how Cornell participates in driving the digital revolution is a blueprint for our success.
So sit back, plug in and consider the words — and passion — of Dean Constable and how they apply to what you do. Working together, we can change the way people protect information.
There are three ways to listen and subscribe (so you get every episode)
1. Each episode incorporates the ability to listen on the website! Simply point your browser to http://www.cis.cornell.edu/alumniblog/ and press play
2. You can download this episode directly: http://www.cis.cornell.edu/alumniblog/podcast/cornell-ddr-01.mp3
3. If you prefer to use and subscribe using RSS, here is the feed: http://www.cis.cornell.edu/alumniblog/feed/
Podcast: Play in new window | Download (27.7MB)
The Security Catalyst Show | Plan – Do – Review your way to success
Into the Breach is really taking shape – but I have been eager to get back behind the microphone and share the ideas and concepts I have been working on. You witnessed my transition to The Security Catalyst last year, and with it, my focus on changing the way people protect information.
In this podcast, I share a simple and powerful concept that can be applied to anything you do: PLAN – DO – REVIEW
I first learned about PLAN – DO – REVIEW a few years back when it was time to learn about nursery schools, and one of the schools followed the HIGH/SCOPE method. Curious, I went to explore and learn more. Since then, I have tested and adapted the approach for my own use – with excellent results.
Now I share my experience with you.
Here are three links if you would like to learn more:
http://www.highscope.org/
http://en.wikipedia.org/wiki/High/Scope
http://www.perpetualpreschool.com/highscope/highscope_info.htm
The Security Catalyst Podcast: A Conversation with Brian Chess
On this program, we share a conversation with Brian Chess, the author of Secure Programming with Static Analysis – a conversation that is a must listen for business leaders, security professionals and developers if you want to learn how to engage your teams to better protect information.
Brian takes an approach with secure programming that is similar to the approach I follow when assessing and implementing awareness and training programs. So whether you are a developer or not, you will change the way you protect information by listening to Brian!
What I took away from my conversation with Brian
After reflecting on our conversation (I explain more during the podcast), here are the top five points I took away:
1. Introspection is important when looking to protect information. To me, this also means we have to stop blaming and looking to assign blame. We can look within, take (and encourage) responsibility and find solutions.
2. Trust is paramount. We have to find ways to establish and maintain trust, offline and online.
3. We need to develop processes and tools to support our experts in a way that naturally engages them and encourages their participation in information protection.
4. New processes, new learning and new tools require an initial investment (time, money and resources) that may sometimes seem sizeable – but the savings are realized rapidly and bring long-term positive benefits.
5. In security, we need to stop griping and learn to be good coming from behind. It’s okay, and we can do it.
What did you take away from this conversation? Send me an email: securitycatalyst@gmail.com, or better yet – join us in the security catalyst community – www.securitycatalyst.org and share your insights with others.
Information and Links
Brian Chess, Ph.D., Founder & Chief Scientist
http://extra.fortifysoftware.com/blog/bloggers.html
Dr. Chess’s research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedger.
Secure Programming with Static Analysis
http://www.amazon.com/Programming-Analysis-Addison-Wesley-Software-Security/dp/0321424778/ref=sr_1_1?ie=UTF8&s=books&qid=1196292147&sr=8-1
http://extra.fortifysoftware.com/blog/
Serving Your Needs
I thoroughly enjoy researching and producing these podcasts – and looking forward to getting back into a programming schedule with a bit more regularity. I’ve also been impressed with the Talk Shoe service, and considering hosting more podcasts through Talk Shoe so you can listen in live.
Let me know if you would listen live and participate if we made that an option, and who you would like to share a conversation with by sending me a note: securitycatalyst@gmail.comAs always, thanks for the gift you give me by listening. If you liked the program, tell a friend. If not, tell me!
The Security Catalyst Podcast – Why Virtual Teams Fail (and how to avoid it)
This podcast explores how and why virtual teams fail, based on new research from a group of graduate students at Johns Hopkins Carey School of Business.
My belief is that in order to protect information, we have to support the individual – and make it easier for them to do their job. By learning more about how virtual teams fail, we can learn how to avoid mistakes and build stronger and more effective collaboration opportunities – where people can do their jobs while taking responsibility for protecting information. By absorbing this research, you may also learn how to work more effectively on your own virtual teams.
After our interview, I share the top five things that I learned about nurturing and protecting virtual teams. I invite you to sit back, listen, learn and contribute. I’m happy to keep the conversation going in the security catalyst community.
Background: Bring new knowledge to the field of work team behavior
A group of five graduate students (Robert Darling, Cari Endicott, Lisa Fratino, Matsuno Inoue, and Ellen Snydman) from the Carey Business School of Johns Hopkins University participating in a team building course under the leadership of Dr. Robert Pernick were charged with bringing new knowledge to the field of teaming.
This group elected to research the world of virtual teaming, and in doing so, found that here is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or become sub-optimized. The team’s first research effort was to conduct structured interviews with a group of virtual teaming experts.
The experts interviews generally agreed that the success of virtual teams were threatened by:
• Concerns regarding the ability to protect sensitive information
• Lack of a single platform that provides all the tools necessary to optimize
• The struggles of virtual communication
• Poorly or under-trained users
• The challenge of building trust without the use of face-to-face communication
Overall, the experts agreed that all of these obstacles can be overcome and unless combined into the “perfect storm” are not likely to cause catastrophic failure. The experts felt very good about the work that is be done virtually and believe that the use of virtual teams will become even more prevalent into today’s global society.
The second phase of research involved the distribution of a short, online survey about virtual work. The results of the survey are still be collected, but at this point there seems to be a great deal of overlap with the findings from the subject matter experts. The podcast you are listening to will explore both elements of the research and will introduce yet another subject matter expert, Stu Snydman, the Manager of Digital Production at the Stanford University Libraries.
This podcast was created and hosted by Michael Santarcangelo and expertly engineered by Steve Witt. Thank, Steve!
Security Catalyst Podcast – The Value of Fundamentals
I’m back, baby! I know I’ve been remiss in sharing some ideas and observations – but I’ve been really focused. As I continue to focus on changing how people protect information, I have come to appreciate the value of the fundamentals. I share some insights in this long overdue podcast. Things you will learn by listening to this podcast:
- I am a yankees fan
- Three lessons I took away from watching professionals and legends
- How to have more fun at work
I also share some updates on the Information Protection Assessment Toolkit, make a special offer and update some of my travel plans. It’s nice to be back. We have an SRT coming up, and I have a lot I hope to share… more to come… If you enjoy this, let me know. If not, let me know how I can make your job easier and improve the quality of your podcast experience.
Engage with Michael
-
Journey Into the Breach
