Collaborative Strategy Guild » Diana Kelley

2012 Federal Government Cybersecurity Survey

Diana Kelley — Mon, 23 Apr 2012 15:08:08 +0000

This year InformationWeek asked SecurityCurve to help them with their annual Federal Cybersecurity Survey. It was a great research project and we learned a lot. If you’re interested in the findings there’s a brief article at InfoWeek:

What are the most dangerous cyberthreats? And how are agencies responding? InformationWeek launched our 2012 Federal Government Cybersecurity Survey to find out. Our poll of 106 federal IT pros involved in IT security for their organizations was conducted in March. We asked respondents to rank the threats they face and their readiness to deal with them. We inquired about cybersecurity spending and where agencies are investing. And we probed into the most significant challenges they face.
Our survey results show that organized cybercriminals and hacktivists are viewed as the greatest threats to IT security. At the same time, government IT pros say they’re least prepared for leaks that take place through social media. And a crush of competing priorities is the biggest challenge to effective execution.

The good news is that agencies feel they’ve made significant improvements in cybersecurity. This is the perception of agencies themselves, as well as the assessment of government evaluators charged with monitoring progress under the Federal Information Systems Management Act (FISMA).

Or you can download the full report here. NB:The report is free, but InfoWeek does require registration for the download.

Does Your IaaS Environment Have Sleeper Cells?

Diana Kelley — Thu, 05 Apr 2012 13:40:20 +0000

IaaS gives you plenty of rope. It’s up to you not to hang yourself. For example consider how IaaS allows you to rapidly create and deploy new virtual machines within the production environment. Without proper care and feeding, this can quickly result in VM sprawl. If a VM remains dormant for a long time and sits out many rounds of updates and patches, what happens when it finally reawakens?

For the rest of Ed’s latest column at TechNewsWorld, please click here.

Does Your IaaS Environment Have Sleeper Cells?

Debating PCI DSS Compliance in the Contact Center and the ‘Police State’: Two Perspectives

Diana Kelley — Fri, 02 Mar 2012 20:47:45 +0000

Raised cubicle walls, safe rooms for credit card data, different colored badges for different agents – it all seemed a bit draconian. Yet, many contact center managers are struggling with some of the stringent requirements for PCI DSS when they first run across them. It may not be a police state, but most contact center professionals need some help and advice. The security professionals often responsible for PCI DSS projects do not always understand the operations of the contact center, what’s important and what’s not. And the same goes for contact center managers dealing with PCI DSS auditors.

In an attempt to get the two sides together, SearchCRM.com News Director Barney Beal delved into some of these issues with Lori, president of Strategic Contact Inc., a call center consultancy and Diana Kelley, a partner with Security Curve.

The roundtable discussion covers PCI DSS compliance across a multitude of topics in two parts. In the first part, Diana and Lori discuss the physical requirements for complying with PCI in the contact center, the importance of clear communication between contact center and IT/security professionals and what Lori’s recent experience revealed about some unexpected requirements.

To listen to the podcast at IT Knowledge Exchange Voices of CRM, please click here.

Application Security Track at the IANS Security Forums

Diana Kelley — Mon, 13 Feb 2012 13:27:08 +0000

This year Ed and I have been asked to run the Application Security Tracks at the IANS Information Security Forums. In advance the first Forum, to be held on March 20-21 in Washington, DC we put together a podcast and a Q&A on application security and the topics we plan to cover. If you’re planning to attend any of the IANS Information Security Forums, or if you’re just interested in Application Security, please take a look and listen:

IANS Research Member Preview

Building an Optimized Application Security Program

IANS Research Podcast

Application Security Track: Forum Podcast with Diana Kelley and Ed Moyle

Post Virtualization Security

Diana Kelley — Tue, 24 Jan 2012 13:44:20 +0000

As the second law of thermodynamics tells us, all things trend toward chaos and this is no less true with a virtual environment. Sprawl can have a real security impact, and it takes discipline and planning to control sprawl — discipline and planning that won’t occur without someone from the security team actively monitoring the problem and formulating strategies for how to address the issue.

VVirtualization has been one of the most rapidly and widely adopted technologies in recent memory. It’s huge, and it’s here to stay.

And as security professionals know, setting up a virtual environment securely isn’t easy. Significant effort goes into tasks like evaluating off-premise service providers, ensuring regulatory compliance, and standing up technical controls like monitoring and encryption. But in the excitement to stand up the new environment and get security to an acceptable “target state,” organizations sometimes don’t address security hygiene long-term. In other words, security is in high gear while the environment spins up, but it doesn’t lay the groundwork for what happens once things are chugging along.

Read the rest of Ed’s article over at E-Commerce Times.

Using HIPAA To Advance Your Security Initiative

Diana Kelley — Mon, 16 Jan 2012 14:06:12 +0000

[Excerpted from "Security Via HIPAA Compliance," a new report By Diana Kelley and Ed Moyle, posted on Dark Reading's Compliance Tech Center.]

Healthcare compliance requirements can be a driver to improve your organization’s overall security. Here’s how:

If your security organization is in the healthcare space, you inevitably are wrestling with the Healthcare Information Portability and Accountability Act (HIPAA). HIPAA compliance is one of the biggest challenges healthcare IT organizations face — but it also could be an opportunity to advance your security agenda.

For security professionals to leverage compliance investment and activities for broader benefit, they must understand what’s driving current compliance investment.

First, it bears saying that the standards outlined in the HIPAA Security Rule are designed to address broad swaths of industry—from small clinics and physician offices to the largest institutional care providers and insurance companies. Because of this, the high-level security control objectives outlined in the Security Rule (standards) as well as the supporting controls are extremely broad and lacking in technical specificity.

How can security organizations make use of compliance activities?

Check out the rest of the excerpt at Dark Reading or download the entire report at the DR Compliance Tech Center.

The False Economies of the Info Security World

Diana Kelley — Wed, 19 Oct 2011 12:18:44 +0000

Ed’s October article for TechNewsWorld takes a look at why it’s so hard for companies to determine the true cost of security initiatives and controls.

Organizations love false economies. It may not be an entirely conscious act on their part, but it’s certainly the truth: Hang around any organization long enough and you’ll find at least one instance where it tries to save on doing A but winds up spending more on doing B in the process.

Consider, for example, expense policies that require employees to stay one or more extra nights when traveling. Because airfare is lower when weekend travel is involved, organizations might be tempted to ask employees to do this to keep air costs down; however, very seldom do recouped airfare dollars come even close to combined dollars lost in extra hotel stays, extra meal expenses, lost productivity and reduced employee morale. The combination of hard and soft costs far outweighs possible savings in the area of airfare.

For the rest of Ed’s article, please click here.

Wrapping Personal Devices and Critical Data in Stale Policies

Diana Kelley — Thu, 22 Sep 2011 18:06:29 +0000

In his monthly Opinion piece, Ed discusses why BYOB requires a fresh look at AUPs:

The use of personal devices for corporate tasks is on the rise, and too many IT departments haven’t fully addressed the information security ramifications of the trend. To tackle the situation, you’ll need to first get a handle on what your current policies are as they relate to management intent as well as what policies you’re already enforcing technically.

It’s a myth that ostriches bury their heads when they spot danger. It sounds plausible, but in reality, they’re just like us: In the face of imminent danger, they either run or attack (“fight or flight”).

This makes sense when you stop to think about it. After all, one thing that seems almost painfully obvious is that ignoring signs of danger isn’t an effective defense strategy. In a high-stakes situation (like being a prey animal on the Serengeti), ignorance isn’t an evolutionarily productive strategy. Successful ostriches are more likely to live by taking evasive action; less-successful ostriches are more likely to ignore danger and perish.

For the rest of Ed’s article, please click here.

Analysis: PCI Tokenization Guidelines offer Clarity, but Questions Remain

Diana Kelley — Thu, 22 Sep 2011 17:54:52 +0000

TechTarget just published my analysis on the PCI Tokenization Guidelines:

For years, security experts have touted the value of credit card tokenization for limiting PCI scope. The National Retail Federation (NRF) listed tokenization in its January 2009 “Key PCI Best Practices” document, and Gartner Inc. analysts John Pescatore and Avivah Litan explained how tokenization can be used to reduce PCI scope in their August 2009 research note, “Using Tokenization to Reduce PCI Compliance Requirements.”

Now, following the long-awaited release of its PCI Tokenization Guidelines in August 2011, the PCI Security Standards Council (SSC) has made it official: tokenization can reduce scope for PCI audits. Organizations that were waiting for the council’s opinion can now forge ahead with implementations, knowing that credit card tokenization is approved for use in a PCI DSS-compliant cardholder data environment (CDE). That in itself will be welcome news to many merchants.

To read the rest of my analysis, please click here.

Is InfoSec Ready for Big Data?

Diana Kelley — Mon, 15 Aug 2011 13:10:32 +0000

Ed’s column in TechNewsWorld this month takes a look at “Big Data” -

Over the past few decades, most IT shops have followed a somewhat similar trajectory: Starting from a centralized model (i.e., the mainframe days), computing resources, much like the cosmological Big Bang, have exploded outwards to become ever-more-distributed and decentralized. This makes sense given market dynamics. Computing platforms evolve quickly, so monolithic computing platforms that require heavy up-front investment are less efficient from a depreciation standpoint (i.e., from a MIPS per dollar per year point of view) than numerous, incremental investments in lower-powered devices.

So it’s natural that processing would decentralize. And in fact, there have been numerous technologies invented over the years to support exactly this paradigm.

By virtue of ever-more decentralized processing, it logically follows that storage would be (in general) decentralized as well. In fact, storage becomes a balancing act. Data is placed in such a way as to be centralized enough to be manageable, while still being distributed enough to be efficiently used by consumers of that data. That’s the paradigm of recent history. But this paradigm is changing — changing in a way that impacts how we manage IT overall from a security perspective. And that change is “big data.”

To read the rest of the article please click here.