Share
Archive
- May 2013 (2)
- April 2013 (4)
- March 2013 (2)
- February 2013 (5)
- January 2013 (3)
- November 2012 (2)
- October 2012 (4)
- September 2012 (5)
- August 2012 (5)
- July 2012 (2)
- June 2012 (4)
- May 2012 (3)
- April 2012 (4)
- March 2012 (1)
- February 2012 (4)
- January 2012 (2)
- December 2011 (2)
- November 2011 (4)
- October 2011 (3)
- September 2011 (4)
- August 2011 (4)
- July 2011 (4)
- June 2011 (5)
- May 2011 (4)
- April 2011 (4)
- March 2011 (2)
- February 2011 (3)
- January 2011 (3)
- December 2010 (3)
- November 2010 (4)
- October 2010 (3)
- September 2010 (3)
- August 2010 (3)
- July 2010 (3)
- June 2010 (1)
- May 2010 (2)
- April 2010 (2)
- March 2010 (2)
- February 2010 (1)
- January 2010 (1)
- December 2009 (1)
- November 2009 (1)
- October 2009 (2)
- September 2009 (1)
- August 2009 (2)
- July 2009 (1)
- June 2009 (2)
- May 2009 (1)
Categories
Popular Tags
|
 Google Cars and Continuous MonitoringIf I make my living driving - and as the son of a London cab driver, this hits close to home - I've got a weather eye in the rearview mirror watching Google changing lanes. Will Google's self-driving cars push me off the road? But if automation's bad for the automated, it promises huge dividends for the rest of us. And, in some cases, the automated are celebrating the changes. Enter DHS Continuous Monitoring - the $6 billion cyber security juggernaut that promises to revoke driving privileges for bad guys on the information super highway. Many CIOs and CISOs see CM as a way to turn their jalopies into bat mobiles. Less is More FISMA's FUBAR ā nobody's arguing that one. Spending one in four cyber security dollars on a 300-page system audit every three years doesn't cut it in a world where threats change every minute. There are 1,100 controls in FISMA - but that doesn't mean we need to test every system against every control. Ron Ross and the NIST team never intended that. The truth of the matter, we need to cut the cholesterol to boost security. Policy Priority Most importantly, this is not about technology - it's about a policy shift. We need to explain to the Hill, IGs, and OMB, that it's not about doing more with less - it's about doing less better, and doing it all the time.  Cowboy Up If we're to realize a policy shift, CIOs and CISOs need to pull together on the same lariat. The whole community needs to explain to leadership that CIOs and CISOs must be empowered to make executive decisions about the right security controls to implement. And - I know this sounds crazy in government - which controls to let out of the corral. To be clear, this is not about slacking off on security. IT needs to demonstrate rigor in making the case for what to do and what not to do. Execs need to take real responsibility and back decisions with hard data. To succeed, SANS Institute and other think tanks tell us we need to focus on 20-30 common controls - and implement them across government. So, which controls make it to the rodeo? This is a good time to introduce the old nutshell - RoI of cyber security. At the January 31 Cyber Security Exchange meeting, CISOs told us 80-90 percent of security breaches are associated with 5-10 percent of controls. So how about we let agency cyber defenders make the call about where and how to defend - and hold them accountable for those decisions? Isn't that what executive means?  Conspiracy Theory? Never fear, Iām not talking about Roswell or JFK. In that same January Cyber Security Exchange meeting we heard that 80-90 percent of the cyber security vulnerabilities at Federal agencies are common across respective agencies' cyber security audits. But, tragically there's little or no information sharing among agencies. Ironically, Federal agencies are failing in cyber because they're failing to conspire. Each agency is collecting its own cyber vulnerability and threat information, but failing to share that data with other agencies - either because they're afraid of looking weak or because the data's trapped in proprietary formats or both. It's time for Feds to open up to one another - and further to set up a machine-readable clearing house for cyber security intelligence. And, yes, there's a reference back to the Google cars ā if alerts were machine readable, humdrum updates could be automated, leaving expensive humans to focus on higher value, analytic tasks. Call Shotgun? A big pour this week - the cup's flowing over into the saucer. John Streufert and Continuous Monitoring promise much needed new efficiency. But the change is not simply about new technology - it's about new thinking and IT empowerment as well as accountability. The question, is Uncle Sam up for riding shotgun? Afraid that's not a question you can Google. Opt in today to keep stirring IT up. |
Back to Steve O'Keeffe's Articles, 'user_report.php?return_url=http%3A%2F%2Fwww.meritalk.com%2Fblog.php%3Fblogentry_id%3D3426%26user%3DSteveOKeeffe&TB_iframe=true&height=300&width=450', '', './images/trans.gif');){kind=spacer}
Inappropriate Content
