Wednesday, May 6, 2015

SPC 2015 - Five to Ten

Christopher Buse, the CISO for the State of Minnesota, gave an interesting keynote to end this year's SPC.  One take-away I got from his talk is to plan, be patient, and remember that change can take time.

Five To Ten

Five to ten years, five to ten years!
How many years will it take?
So many problems, so little spend.
The flour but none of the bake.

We have all the problems, never a fix.
We know the bad issues are here.
We try different process, we try different tricks;
No way we do it this year.

Climbing the mountain of business and risk,
We do it one step at a time.
The dangers are present, opportunities missed.
Our methods themselves are a crime.

We have to be patient, and we have to be smart;
Build service and not just the tech.
We have to speak calmly and speak from the heart
While steering the ship from a wreck.

Goals should be settled and metrics be set:
We measure our progress gone by.
Steady and slow, the challenge is met;
Be strong and try not to cry.

Opportunities come, but watch them with care.
They move much more quickly than we.
Stay open, stay hungry, and take on the dare
Of learning and listening with glee.

It may not move quickly, it'll never be fast
But time that we spend means a lot.
We'll find out that after five to ten past
We'll have so much more than we've not.
Posted by at No comments:
Labels:

SPC 2015 - CISO HULK

CISO HULK NEW TO JOB.  CISO HULK MUST SING AWAY PAIN.

CISO HULK


HULK GET JOB IN INFOSEC
CISO ROLE IN HIGHER ED
HULK IS MAD BUT HULK IS SCARED
HULK NOT KNOW WHAT IN FOLKS' HEAD

HULK SEE YOU THINK YOU GET MAIL
BARRISTER NO KNOW YOUR NAME
HULK SEE KIDS USE P2P
HULK SEE THIEVING FACEBOOK GAME

HULK DID RESEARCH, BUT NO MORE
FISMA RULES RUIN ALL HULK GRANTS
HIPPA RULES, THEY MAKE BAD TOO
HULK RESEARCH LIKE HIS TORN PANTS

HULK SEE HOLES IN ERP
HULK FIND BAD WEB CROSS-SITE SCRIPT
SQL GET INJECTION
THAT WEBSITE, LIKE SHIRT, IS RIPPED.

HULK MUST BUILD INFOSEC JOB
HULK ASK BOSS FOR LOTS MORE CASH
HULK NO GET, HULK MUST GET BY
ALL THIS STUFF JUST MAKE HULK SMASH
Posted by at No comments:
Labels:

Tuesday, May 5, 2015

SPC 2015 - HEISC Information Security Guide

HEISC, the Higher Education Information Security Council has created an Information Security Guide to assist Higher Ed CISOs develop and grow their security programs.  It's good food.  Check it out.

HEISC Information Security Guide


HEISC!  HEISC!  Say it twice.
Working to help and give you advice.
They made up a helpful and detail-filled guide.
Come on along for a game-changing ride!

Fourteen domains, the editors scribed;
Getting you started with wisdom they tried,
Managing risks and closing up gaps,
Giving direction and warnings on traps.

Offering models and frameworks galore,
External sources for raising the floor.
Mapping out standards from ISO to NIST,
Accounting for PCI, HIPAA's real gist.

How do you monitor, log, and review?
How do you know when your data's all true?
How do you monitor contracts and laws?
How do you deal with software that's flawed.

This guide will help you, HEISC has done good.
Managing risk will be done like it should.
Doing awareness?  Policy growth?
This guide will help when you're mapping out both.

Fear not The Cloud.  It helps you with that.
If it can't help you, I'll eat up my hat.
Take a quick look, you'll like what you see.
An infosec guide that is offered for free!
Posted by at No comments:
Labels:

SPC 2015 - NIST Risk Rap

The Ohio State University has developed an impressive Information Risk Management program.  I plan to steal a lot of it.

I plan to rap about it too.  Oh, look.  There it is.


NIST Risk Rap


Do you wanna know how to manage risk?
Lemme rap a bit 'bout a thing called NIST.
Hundreds of pages, hundreds of rules.
Gonna be adopted by so many schools.

It comes from a Federal agency,
Makin' up the standards, all for free.
(Well, also bought through Federal taxes,
But never mind that, it's the least of fact-es.)

I'm talkin' about one: eight hundred five three.
A nice long list specifying what be.
Giving you the standards, giving you controls.
Ammo for fighting your faculty trolls.

But don't stop there, gotta take the next step:
Architect it out like an Imhotep.
Makin' up the metrics, makin' up the forms,
Leading stake holders, embracing new norms.

Assessments help, but keep them scoped small,
Otherwise the hill just becomes too tall.
Create yourself a process sustainable.
Keep your change goals all attainable.

If you build it right, risk will drop like beats.
Risk management: a most awesome of feats.

Word.
Posted by at 1 comment:
Labels:

SPC 2015 - How To Sell Security

I sat in on William Perry's talk entitled Rethinking and Simplifying Security: A Best Practices Roadmap.  One of his points was the need to develop a good value proposition for any security program change you make.

This idea drove me to haiku.  (Yes, one can haiku.  Verb all the things.)


How To Sell Security


Only the greenhouse
Survived the plague of locusts.
The gardener planned.

An angry gray goose
Chases the red, hungry fox:
Her chicks protected.

Frightened zebras run
Lion is dazzled, confused;
Until one falls back.
Posted by at No comments:
Labels: ,

Monday, May 4, 2015

SPC 2015 - These Numbers Are The Devil

I co-presented a seminar called PCI Program Frameworks: Learning to Cope with Compliance this morning.  We had an excellent group of engaged participants.  I hope they got something good out of it.  They did get a poem out of it.

These Numbers Are The Devil


These numbers are the devil.
They hide in shaded veils.
They grace the backsides of billboards.
They travel on whispers through the air.
Whispers themselves,
They sour the best of intensions:
A vapor that slips through cracks and open doors,
Seeding hearty vines of complexity.

Those numbers live and grow and multiply.
They feed on the food of commerce.
To silence them would be a fool's games,
As their echoes travel far and wide.

No, these numbers must be counted
And counted on
And welcomed, but not without rules or cages.
These numbers are the sighs of sleeping tigers,
Dreaming of the free places they have known.
Posted by at No comments:
Labels:

Sunday, May 3, 2015

SPC 2015 - At The Bar


At The Bar

Before the deep dive into tech tracks and panel discussions,
Before the keynotes and coffee lines and vendor smiles,
Before we get our badges and drink tickets to trade,
We sit together, sip, and talk away the miles.

We travel from coast to coast or beyond the glistening seas.
We travel from our institutions, varied, flawed, and driven.
We travel from our day-to-day to take the time to ponder.
We sit together, sip, and share what each is given.

We smile to the waitstaff who bring our chips and beer.
We smile at the stories of battles won and lost.
We smile at the notion that our worlds are quite the same.
We sit together, sip, and disregard the cost.

In the morning, we awaken and coffee is our drink.
In the morning, we will seek the truth among the murk.
In the morning, we'll devise the evening's social fun
When we sit together, sip, and celebrate the work.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)