Information Security Magazine is one of the best quality trade magazines of its kind. They used to be run by the folks at TruSecure but since have been bought by TechTarget. (Since then Ubizen and BeTrusted merged and then merged with TruSecure to become CyberTrust, got it?) This month's issue is crammed full of great stuff.
Some lofty board members at ISC2 quit last Fall's CSI conference in protest of Frank Abagnale's keynote. Now Frank Abagnale might have been a crook in his youth but he has long since reformed and proven his merit and value. My problem with this Pharisaic attitude is that it precludes the tremendous good that Abagnale is able to provide. This just gives me another good reason not to get a CISSP certification.
Another piece discusses the real sentences that hackers are receiving:
2001 - Jesus Oquendo gets 2 years and $100K restitution - hacked an investor's network
2003 - Richard Dopps gets 5 years and $22K fine - read exec's mail at his company
2004 - Brian Salcedo gets 9 years - hacked Lowe's WiFi network
I have commented on the value of Sarbanes as a form of certification. This month's issue gives some metrics.
66% of IT professionals surveyed believes regulatory compliance improves security
19% surveyed (mostly small and medium businesses) do nothing to protect their networks and the data stored within them! At least they're honest.
Anish Bhimani offers a reprise of the highlights of his Fall 2004 SecurityDecisions keynote with his 12 lessons about being a CISO. He oversees security for JPMorganChase which is really more like running a whole stable of Fortune 500 companies. In Chicago he ran down the numbers for us - they were staggering. If he can figure out how to tame this beast - you know he has something to teach the rest of us.
This is the same company that recently reversed it's outsourcing of IT from IBM. The reason finally surfaced... the costs had gotten out of hand. This is a great point, if you can't manage your business units and employees how are you going to manage your vendors? I am all for outsourcing the right functions (such as economy of scale functions like 24 x 7 firewall monitoring) but don't forget the cost of managing them.
Adam Stone's piece on the growth of managed security service providers is timely and gives a great survey of the landscape. If you haven't considered MSSPs then you are missing some great opportunities. I have had the chance to review a number of them with particular depth with the ones that seemed to be the most capable. They call attention to some of the most significant points. I considered Guardent to be one of the top tier players (since then bought by Verisign) but ultimately their lack of strong global presence hurt them. (The same reason they give for their acquisition.) Today Cybertrust is probably the most capable MSSP with the strongest global presence. Their Ubizen group was headquartered in Belgium and their list of clients is impeccable. Their talent drew heavily from the University of Leuven and their dedication and skills are obvious. We shall see how this huge merger bodes for them.
Finally publisher Andrew Briney tells us his nightmare story of trying to remove spyware from his home computer. For anyone not familiar with the reality of how hard some spyware is to remove - this is a must read. Spyware is finally getting elevated in corporate IT status from nuisance to major threat. I am skeptical that technical solutions such as Microsoft's AntiSpyware tool can effective deal with the problem on Windows systems. This may give Apple and other alternatives the impetus to grab great amount of corporate market share - the economics are probably right today.
Pete Lindstrom also weighs in to the contrary on Frank Abagnale.
Comments