Tag Archives: fisma

Who will be the Jamaica Ginger of Information Security?

I read a short section in Bruce Schneier’s book Liars and Outliers that tells the tale of Jamaica Ginger:

“an epidemic of paralysis occurred as a result of Jamaica Ginger… it was laced with a nerve poison… and the company was vilified”, but not until 10s of thousands were victims, this resulted in the creation of the FDA.

To date, throughout most industries there is no absolute requirement with meaningful incentives to introduce and sustain operational information technology safeguards. There are isolated elements focused on particular threats and fraud (such as, PCI for the credit card industry, CIP for the Energy sector, etc…). So what will result in the Jamaica Ginger of information security?

Some portend that a cyber-war (a real one) that creates such societal disruption; a long enough sustained negative impact to survive the policy development process, and driven enough motivation to be complete. OSHA, FDA, and other such entities exist as a result of such events.

The best action enterprises can follow is to mature and engage sufficient operations that address their information technology concerns in the marketplace. As a means of self preservation; selfish (perhaps) demonstration of a need to NOT have legislation or a body established (such as the Federal Security Bureau), and ultimately preparedness should such a requirement be introduced the changes to your business would be incremental at best.

Other thoughts?

James DeLuccia

How to improve the maturity of your security program – Learn from mistakes made others!

Organizations struggle with a complex information security compliance program needs placed upon the organization.  Mature organizations participate in regular self review and improvement activities on an annual basis, and in some organizations as regular as monthly.  These organizations are fortunate to have larger security teams that reflect the global (think Fortune 500) deployment of assets.  This network provides an immensely valuable feedback loop on the following, among many others:

  • What are effective practices
  • What policies are great for the business, and where are exceptions being raised frequently that may indicate unknown business requirements
  • Attack patterns and weaknesses in the security program based on statistical review of events within the business
  • Where are programs meeting customer / client requirements – based on sales attributions and audit findings, respectively.

For organizations of this sophistication and those of all other sizes there is an additional input that raises the overall efficiency and effectiveness of the security compliance program.  That is through a self comparison against public data.  Specifically data released by government audits, intelligence committee reports, and guidances / complaints issued by government enforcement agencies.  These are immensely helpful in providing businesses across all sectors insights into security threats, trends, shifting perceptions of “due care”, and areas where risks are ebbing and flowing.

A simple set that an organization may consider includes:

The takeaway here is that every organization should regularly identify these sources, consolidate them in a manner that can be analyzed, and develop an intelligence report on any gaps in practice and security controls as documented by these organizations.  These apply to every organization and not simply those in the government space.  The process of careful analysis against the organization’s strategy combined with the rote knowledge of the practitioners internally can support realizing these benefits.

The genesis of this article was inspired through close workings with Fortune 50 organizations and developing leading global security programs.  A nice article illuminating this and other opportunities for improvements to security compliance programs is by Adam Shostack, in “The evolution of information security“.  A very good read.

Thoughts .. and expansions of idea are always welcome!

James DeLuccia IV


Managing information Security in an ever changing environment

Can a network be defended and secured?  Of course, observe the red team / blue team activities that are executed by businesses, governments, and at conferences.  There is one catch, these do not reflect reality.  Businesses are living networks and under constant change either directly encouraged or indirectly effected by the windows of the market and universe as a whole.

A fine quote that brought this to bear for me was published in an NSA publication stating: “One simply must realize that while the search for the right foundations proceeds, construction will continue.” where the article describes how the Duomo in Florence was built without an understanding of how to build the planned dome at the top.  That is akin to information security today – the challenge and task of information security is to build and execute a security program that reflects that the business is in constant development, and we will not always “know” what is effective for where we are going.  Think Mobile and Cloud security as the current sources of concern and challenge.

The takeaway is to recognize that the standards organizations build their security programs upon (ISO 27001, NIST) and are regulated / audited against (PCI DSS, NERC/FERC) are in themselves in a constant state of change.  This is only matched by the dynamics of the changing foundations of what information security is protecting (mobile, cloud, etc..) and the market demands placed on the organization.  Being still is not the answer, but instead iterating rapidly with a conscious focus on the strategy of the organization with an enabling security program will enhance the longevity of the organization and the relative effectiveness of the security compliance program itself.

NSA Article referenced:  “Cybersecurity: From engineering to science” by Carl Landwehr

Other thoughts?

James DeLuccia IV

Synergy and specificity, a review of Forrester’s Simplify Cybersecurity w/ PCI

The recently published, Simplify Cybersecurity With PCI, by Heidi Shey and John Kindervag is an interesting and valuable read.  The premise is that the government regulations (any really) are generally obtuse and ideal focused without prescriptive how-to descriptions.  While the payment card industry standard (PCI DSS v2.0 in this case) is direct on what and how technology controls should be deployed.  The authors present a synergy that exists that can help an organization establish a security program.

I would definitely recommend businesses struggling to establish a security program to review the concept.  I would challenge those involved in establishing security programs and enhancing such programs to focus on their core business strategies and focus on an iterative cycle, and not simply a controls exercise.  Ultimately I agree there are synergies as described by the authors, and I feel the mappings is quite insightful, but I would pair this with the cyclical nature of an ISMS to round out the edges and make it a more pragmatic and ultimately effective program.

One note also, is that the authors intend that the PCI DSS standard is appropriate for mapping, but I would caution readers and all who utilize PCI DSS.  The standard is specifically articulated for a set of risks and typically bounded by scope of the card data environment.  When utilizing these standards it is important to eliminate and or address these pre conditional weaknesses first, prior to establishing a proper security, and ultimately compliance program.

Other thoughts?  I have personally done many mappings (most recent 134 global regulations and guidances) and can appreciate the value of such alignments, but also with each standard carries assumptions that must be managed at the program level.


James DeLuccia

Compliance mandates do not make up your enterprise security program (PCI, SOX, GLBA, etc.. included)

A challenge for large businesses is addressing their own information security needs to manage their operations in a manner that allows them to be resilient and adaptable in an ever competitive market place.  Each organization is different – the risks and the needs to mitigate.  A painful evolution of the past decade has been the mistaken direction organizations have taken to build / address singular compliance instances.  Meaning, organizations develop programs to address single compliance requirements – vendors, SEC, industry, etc …  Not that these are not important, but a natural effect of this is the perception that the security “controls” (even the word doesn’t lend itself in the right non-audit light) are there to achieve compliance.

The mistake is achieving compliance to compliance requirements alone.  There is a gap in the business’ OWN needs.  Over the past year I have spoken on this topic publicly at conferences and my book  has a huge focus on aligning and establishing business requirements cohesively.

To elaborate on the graphic … the CxO office must be aware and share their strategy – typically easy to find, as I generally begin building these programs from the 10-k reports over last two years.  These feed the information security program elements and form the decision framework against all technology, security controls, risk frameworks, sourcing considerations, recovery timelines, etc…  In addition, the compliance elements must be addressed – but with the understanding these are risk transfer activities by third parties.  Not to be the basis of the enterprise program, but a singular consideration.

The capability of the organization to address market competitive requirements is based upon the proper balance.  Here you can see the target is 85% of the program is made up by the business’ own innovative and market driving / supporting activities.  15% of the program to meeting these ‘license to operate’.

The takeaway is to challenge your organization’s singular managed compliance initiatives and a deep dive on budget alignment to business revenue generation.  There must be rationalization to the safeguards to make the business efficient and effective – that includes safeguarding and enabling the business to conduct business, everywhere.

Thoughts?  Challenges?