Just like bad weather conditions found in nature, such as typhoons, hurricanes, or snowstorms, technology system defects and vulnerabilities are inherent characteristics found in a cyber system environment.
Regardless of whether it’s a fair comparison, weather changes are part of the natural environment that we have little direct control over, whereas the cyber environment is fundamentally a human creation. Despite these differences, the choices we make do have a direct implication even if they are not obvious. Take for example the use of lead-based or diesel fuel in vehicles, or controlled burns in the forest to clear land for agricultural use. Both have negative effects on air quality. The same is true for information technology developers, whose actions in designing software programs may unknowingly create software bugs or potential security risks because of their interactions with other non-tested, non-secure network systems and cyber environments.
Read More »
Tags: information security, piezoelectric, security
Noted business management author Peter Drucker famously said, “What’s measured is improved.” When applied to the world of security, meaningful security metrics can literally transform an organization and solve real business problems. At Cisco, Unified Security Metrics (USM) combines multiple sources of data to create higher-value actionable business metrics and decision-making capabilities to protect the company’s data, business processes, operational integrity, and brand from security threats.
Hessel Heerebout, Program Manager for Cisco’s award-winning USM program, will give an overview entitled “Cisco Unified Security Metrics: Measuring Your Organization’s Security Health” (Session ID #SEC-W05) at RSA Singapore on July 23. Read More »
Tags: information security, metrics, security, Unified Security Metrics, unified security metrics program
Editor’s Note: This is the third part of a four-part series featuring an in-depth overview of Infosec’s (Information Security) Unified Security Metrics Program (USM). In this installment, we discuss the effectiveness of the USM program at Cisco.
Information security is all about risk reduction, and risks are notoriously difficult to measure -- ask any insurance salesman or actuary. So how do we handle this conundrum for a security metrics program that hasn’t even reached its second anniversary yet?
Peter Drucker, noted business management author, once said, “Efficiency is doing the thing right. Effectiveness is doing the right thing.” Even at this early stage of the USM program, we can see four clear indicators demonstrating we’re doing the right things to improve Cisco’s security posture across the IT organization and Cisco. They include the creation of newly defined partnerships, leveraging existing IT risk management frameworks, developing well-defined feedback mechanisms, and gaining increased support and visibility at the CIO level.
Read More »
Tags: information security, infosec, metrics, security, unified security metrics program, usm
Based on 25 years of professional experience in various businesses around the globe, I can say that many industry verticals have a pretty good state of safety culture as it relates to the health and safety of their employees. This is especially true for companies involved in high-risk businesses such as oil and gas, (nuclear) energy, manufacturing, chemicals, food processing, and so on. In such industries, it is pretty clear that there is a risk that something may blow up, hurt, or even kill people.
However, it seems that the next big driver for them is business alone, and they are not as focused on information or IT security when it comes to the logic side of security like bits and bytes, document handling of confidential information, and similar subjects. This is in stark contrast to their keen attention to physical safety and security issues.
It would seem intuitive that any organization with a commitment to safety by counting (and incentivizing) the hours (days, weeks, months, …) of safety-incident-free time should also be easy to convince that taking a similar approach to information security would be a good thing. But it is not that easy. Operations in these businesses are very physical, so it is not really in the mind-set of a rig guy or gal, a welder, a component mixer, machine operator, or similar, that another devastating incident (attack) could happen from “within” the system(s), by a human adversary committed to do harm in the interest of their nation state or paying agent. All those systems in the above mentioned industries that are working at the process level (sensors/actuators, process control, SCADA (supervisory control and data acquisition) are designed for efficient and effective, good performing, and reliable operation, but they were not really designed and built to resist logic attacks from a human smart guy who can outsmart almost every defense.
In industrial networks, spanning the areas of instrumentation, control bus, operations, business, or enterprise, the often cited Purdue reference model that provides for several “levels” or “zones” of abstraction and segregation can be used. A really good introduction can be found in the Secure Data Transfer Guidance for Industrial Control and SCADA Systems.
The main security points to address are:
Tags: encryption, information security, information technology, IT, network segmentation, physical security, security
I have been coaching youth sports for the past seven plus years now and one of my common mantras when speaking to the girls and boys each season is that “we will win as a team and lose as a team.” In other words, I will never tolerate one player acting selfishly enough to think he or she is above everyone else on the team. I strive to instill the objective that we will collectively pool our talents for the betterment of the team. We use this approach because each boy and girl, believe it or not, brings with himself or herself a unique set of abilities and strengths with which the entire team will benefit.
So why should you care about my coaching philosophies? :-) Read More »
Tags: cisco sio, cybersecurity, DDoS, dos, information security, security