Ben Rothke, author of Computer Security: 20 Things Every Employee Should Know and a valuable contributor to the information security profession through sharing of research on Security Reading Room reviewed How Not To Be Hacked today. As in any moment when a person you respect reviews your work, I was struck with emotional anxiety and excitement when I saw the notification of the review. Ben’s review was honest, accurate, and I thought extremely helpful to anyone trying to uncover answers that will help their friends/family who do not hold 5+ certifications navigate the online world safely!
A snippet from his full review at RSA Conference Blog:
In How Not To Be Hacked: The Definitive Guide for Regular People, author James DeLuccia has written an extremely useful guide that offers 63 valuable tips on how and what users can do to avoid being hacked.
When the author says the book is written for regular people, he means those folks who don’t know a device driver from a digital certificate. The book is written with no techno-babble or jargon, which makes it an enjoyable read for the novice.
Posted again at How Not To Be Hacked: The Definitive Guide for Regular People | RSA Conference.
Thank you to Ben for taking the time to share his thoughts on the book!
Humbled and thankful,
What is dedication… how do you define it? How are you better for it?
To often people try to raise dedication to a level that seems impossible to achieve, but that is not necessary. Dedication to your passions, pursuits, and life are simple enough. Dedication should not have soft edges, but should happen at intervals.
I find that dedication to training for instance can be achieved when rest days, variety in events, and fun are brought into a sometimes realistically “boring” or mundane and repetitive set of activities. For instance when pursuing Ironman Events the training typically involves 6-8 months of training 16 hours of a week across each skill. Needless to say this can lead to a bit of mental fatigue, but adding short / fun swim, run, and rides can provide the sufficient gap necessary to allow for dedication to continue with stronger mental stamina to raise to the next level.
This concept of interval training is well tested in physical athletes, and I have sought to apply it in my life generally.
Consider how you would apply it in the following areas:
- Making moments in your life beautiful
- Living life (feeling like you are in a rut and there is nothing new/exciting?) > seek out new adventure! (I recently, thanks to the Olympics) have been re-introduced to my love for ice skating, and gymnastics thanks to my daughter)
- Work – variety is the spice of life, inject hands on hard core with cerebral program and management functions (don't lose touch of how the tire meets the road or you'll either lose the rhythm of the industry or have unrealistic expectations across your teams and business.. pretty simple)
How does this relate to business.. well the same as it does for our personal ventures, since the personal venture and dedication of our people is what makes up our business. Without these fundamental pieces there is no business that can succeed.
Information Security, like other fields, requires this type of dedication given the sheer complexity and dependency placed upon these efforts by the individuals behind them. I would challenge you to answer the above questions for yourself personally, and then consider how they apply to your sphere of influence. When you are satisfied, seek out your colleagues and team members .. are they, and if not how can you help them move forward?
Sometimes the most technical aspect of our field of business, technology, and information security is the people themselves.
RSA 2009 is finished; the vendors have packed up; the speakers have shuffled out of the lounge, and what remains is a compendium of excellent thoughts captured in real-time on blogs and Twitter alike. For Twitter search for #RSA or #RSAC and for blogs, well hit Google or simply start here. Business wise – the conference had lighter attendance (anecedotaly) and the vendors were on the edge of Cloud | Security | Recession-Antidotes. Session wise – they were better this year then last year – the Department of Justice presentations on Data Breach investigations and the Hoff on Cloudisms were quite good and worth the travels.
Last year I spoke on the Synergies of Regulations, a core tenet of my book, and this year I pushed deeper with BEYOND PCI DSS. The session abstract for this year was:
“The payment card industry standard for data security world centers blindly around PCI DSS, but that is not the only duty of companies and persons. Explore the worst and most often boggled sections of PCI DSS. Beyond PCI, discuss with peers the labyrinth of existing publications and control guidance / requirements published by government, state, and international authorities that we must address.”
PCI DSS is a very troubling issue based on the attendees to this session. The session was full with a range of persons from vendors (10% of room) to businesses complying with PCI DSS (70%), and the remainder being made up between a VC and a few indepedents. A great bonus of RSA is that they make video recordings available online; however, my session was not part of that digital wonder, so I will try to recap a few of the strongest points below:
- “Compliance (PCI) provides a metric to determine security – without the compliant requirements the business of security becomes stale” – Top Industry Manufacturer
- The perception of business / security / governance / auditors is skewed towards PCI DSS (Somali pirates) and the business SLA and other regulations (Great Report Released last week) are being placed in a back seat. PCI part of the Program towards delivering operational integrity through IT infrastructure, systems, and computing processes.
- Intensely vet the AUDITOR and less the firm. The firm conducting the audit must have Fidelity, but selecting the A-Team is a predominant indicator of having a strong control environment.
- “Convince your QSA” – When going through the audit you shouldn’t be arm wrestling over controls, but these points of “negotiation” should be done through an existing, mature, and accurate Risk Assessment Program. Caution should be focused here to not materially affect your ethics or that of your company – convice should be a mutually agreed upon state, and not a “do this or we fire you” situation. Audits are supposed to validate compliance and / or provide a set of lenses highlighting how to enhance operations.
All quotes are in fact quotes from EVP / CIOs who attended session – comments are my own…
Thank you to everyone who attended and for each that did not receive a book during the giveaway, you may find additional copies at Amazon.