The Word is Not Enough

Can you help with the following article? This article will be appearing in SC Magazine. SC features on specific technologies and trends are designed to inform IT security professionals about the state of the art in that area.

Deadline for leads is 3rd March 2010. Email me or leave a comment below.

Professional workshop
Understanding and implementing DLP in your workspace for security and business efficiency

A look at best practice for designing and deploying DLP, avoiding the mistakes and ensuring business continuity

[via]

IT qualifications: are they worth it, which ones are the ones to get if you're a CIO, and want to be better at your job or advance your career? Should you get your staff trained up in formal qualifications to make them better at their jobs or improve their morale? Or are they likely to leg it to another company if you do? Is simply training them up without any formal qualification the best way to have them skilled but retain them?

I'd like to speak to CIOs and other IT professionals, consultants, recruitment agencies, headhunters, training organisations and CIO organisations. Phone interviews to take place in the next fortnight.

Approaches by email only.

Young people entering the workplace see email as slow and have grown up with P2P and Web 2.0 applications - yet most businesses are still living in a Web 1.0 world – with security policies to match. It's already a major battle keeping email and the "vanilla" web free from attacks, malware and spam - the adoption of Web 2.0 will make the job even harder. Yet, simply closing access to unapproved tools can be short sighted as unhappy talent drifts to rival businesses with more enlightened policies.

This feature will look at ways that information security professionals can learn to "think at Web 2.0 speed", embrace the advantages of the new business tools without compromising security.

Some questions the article will answer:

• What are the business advantages of adopting web 2.0 in the workplace?
• Which types of businesses are more likely to adopt and encourage Web 2.0? What are the reasons for this? Which aren’t and why is that?
• Does the recession make it easier for companies to restrict Web 2.0 usage by taking advantage of people’s need for employment and inability to move companies? Is this likely to come back to haunt the business?
• What are the techniques that cyber criminals are using to scam employees (and consumers) via web 2.0 applications?
• Even in a recession people seem to be buying more sophisticated phones and netbooks and using them for work. More people are working from home mixing domestic and business use on the same PC or Mac. What’s the best way of dealing with these trends?

I'd like to talk to the following groups of people:

• Chief information security officers and other information security profesionals about their experiences of Web 2.0, good and bad and even some that may have been open to Web 2.0 to begin with but then changed their mind due to security concerns.
• Experts from Facebook, LinkedIn, Twitter etc who can discuss the security of their applications and others and whether they are suitable for enterprise use (or not)
• The likes of RSA, Symantec, McAfee etc.
• Consultants and analysts who can either address all the issues or address specific ones mentioned above.

As usual, I'm going to want a case study of a business that has adopted Web 2.0 and successfully integrated security both in the enterprise and remotely. I'd like to be doing phone interviews during the next two weeks (until November 13th). Approaches by email only, because I'm going to be out of the office and you'll only get my voicemail if you call!

Can you help with the following article? This article will be appearing in SC Magazine. SC features on specific technologies and trends are designed to inform IT security professionals about the state of the art in that area.

Virtualisation is being touted as the next wave in corporate computing but its advantages bring new challenges and headaches for the information security professional. You can't move these days in IT circles for people touting the advantages of VMWare and other virtualised systems - and advantages there are many, but those bring with them security pressures and risks.

Questions to consider

• What are the advantages of virtualisation?
• Is it any different from network computing?
• What are those security risks?
• How do these risks differ from those on non-virtual systems?
• Is there anything that should not, absolutely, be virtualised?
• Could a virtualised system actually offer more robust security than a non virtual system? How?
• Who are the leaders in secure virtual systems and what technologies do they use?

I'd like to speak to analysts, consultants, select vendors and the technical community for this piece.

I'm also looking for stats on how fast are UK businesses moving to virtualisation and what the reasons are.

Lastly, some companies like IBM are actively using virtual worlds like Second Life for serious business purposes like holding global sales meetings and to build communities for partners and customers. But how safe is this? Surely it's asking for trouble expecting virtual communities to be safe where you cannot be sure that anyone is who they say they are? I'd like to know if any other businesses are following IBM's lead, why they are doing it and what security steps they're putting in place.

I'd like to arrange interviews for this week and the week of the 7th - please note, I'm on holiday the week of the 31st so won't be able to answer questions, emails, etc during that week. My _absolute_ deadline for this piece is the 18th September.

HOW TO REPLY: send an email to pr@robbuckley.co.uk or leave a comment below

Just got back from two weeks in Santorini. It's gorgeous, it really is, and even with two weeks, it's hard to do everything, even though it is quite a small island/archipelago. Oia is probably the most beautiful place I've ever been to, but the Prehistoric Museum in Fira is also a must-see for its Bronze Age frescos.

I'm going to be on holiday from the 4th August to the 18th August, but if you leave a message on my voicemail or send me an email, I'll get back to you when I return.

IT security professionals charged with securing the information architecture of an e-commerce-driven business face special and daunting challenges. They must fight phishing attempts, identity theft, reputation management and DDoS attacks, and at the same time, the risk of media exposure of the business if they get it wrong.

What is the latest thinking in protecting an e-business from cyber attack? This feature will go behind the headlines to look at the reality of attacks and outline what IT security professionals should do to mitigate threats and deal with attacks if and when they happen.

So I'd like to speak to consultants and analysts as well as IT security professionals, including at least one for a case study, preferably about someone who has successfully defended against non-trivial attacks (DDos, hackers attempting to penetrate networks, bad employees trying to hack from within, etc), to discuss the latest security thinking.

Interview probably to mostly be conducted between 16-24th July. My final, final deadline (before anyone asks) is the 28th July.

First, Swansea council mess up the translation of one of their signs: the Welsh says ""I am not in the office at the moment. Send any work to be translated".

Now, English councils are banning everyday Latin phrases, like 'vice versa' and 'via'.

It's worrying, isn't it?

Can you help with the following article? This article will be appearing in SC Magazine. SC features on specific technologies and trends are designed to inform IT security professionals about the state of the art in that area.

Deadline for leads is 7th November 2008. Email me or leave a comment below.

Extending the ROI on information security expenditure

How Information Security Professionals (ISP) can ensure that their investment in technology, people and consultants actually pays off. What are the best ways to ensure they get value for money, please the CEO and CFO and improve security - all at the same time?

The conundrum of being an effective information security professional is that if you do a good job then there aren't any tangible results -- you can only point to reduced or zero breaches. If the baord sees that the company seems to be insulated from attack it may be hard to get agreement for increased spend or bigger teams.

The problem is that the board doesn't see what you see. They don't know that you and your team are working 14 hours a day just to keep up with the waves of attacks and patching old systems.

So how does the CISO?

- Devise a budget

- Model the likely level of attack for the next four quarters (risk assessment)

- Audit current system architectures

- Work out how much to spend

- Get the best value and deals from vendors and consultants and resellers

- Prove to the board that without the investment and spend required the company would suffer monetary loss

- prove what the ROI would be on security spend

What skills does a CISO need to do all this? Are there any software tools available that can help? Can consultants help?

Should information security actually be exempt from proving ROI as it is necessary in the same way as physical security like alarms, fire exits, CCTV etc which most of the time are redundant to the functioning of the company's core business.

Box 1 recessionary times
This feature has become all the more topical given the current financial crisis and the impending recession but there are two schools of thought at the moment. One is that security spend will hold up as it's the one area that business cannot afford to skimp on because attacks may increase. Others however think that it is unlikely and that spending will be squeezed on security and at the very least legacy systems will be patched and made to last and 2009 budgets will remain static at best - cut at worst. What is the truth about all this? Who is right?

Box 2 CASE STUDY
An interview with a CISO or CSO from a well known business about how they configured their budget, got buy-in from the board and possibly devised a system to prove ROI on their architecture, policies and staff.