The Ashimmy Blog

In order to effectively manage risk, we need to be able to effectively measure risk.  Before we can ever hope to effectively measure risk, we should all agree on exactly what is the definition of risk.  When something as elementary as defining risk can sow confusion, caveats and so many questions, you know we need to do a better job.

I am joined on this episode of the Security.Exe Podcast by some experts in risk.  I have Alex Hutton, formerly of Verizon and now a top risk officer at a top 25 financial institution, Ben Tomhave (@falconsview) of LockPath and finally last but not least, Jody Brazil of Firemon.

Of course as most of you know I have been looking at risk an awful lot lately as part of working with Jody and the Firemon guys around their Risk Analyzer product. But getting a few really smart people to talk about a concept is a great way to learn. I learned a lot listening to the folks on this episode. I think you will too!

I am thinking of expanding this discussion into perhaps a panel for a conference talk. Let me know what you think.

Enjoy!

Reprinted from my Network World Blog

Security costs too much for many organizations, is open source security the answer?

Having been in the infosec world for more than 10 years, I have learned the hard way that there are some real issues around effective security for everyone.  One of them is that security is hard and seems to be getting harder. As a result security is also very expensive.  So expensive that only the largest of organizations who put a high value on securing their assets can afford it.  In fact some studies show that large organizations spend on average of about 3.5 million dollars a year on security.  Frankly, even that is not enough given the current state of cybersecurity.  But even assuming that number is adequate, who has 3.5 million to spend today?

The fact is that most organizations live "below the security poverty line".  One of my friends in the infosec world and someone who many follow is Wendy Nather, director of research for enterprise security at the 451 Group.  Wendy has real world experience as a CISO at both private and public organizations. She is extremely bright and dialed into the infosec scene.  She co-authored a report titled "Security Below the Poverty Line".  Wendy's research shows that most organizations don't have anywhere near the resources required to do security right. 

I actually wrote a follow on to Wendy's report on Secure Cloud Review (another place I blog) titled, "Brother Can You Spare A Dime: Life Below The Security Poverty Line". In it I detailed that like the real poor today, security poor organizations may make due on a "high carb" diet of security that lacks "protein". By that I mean they have minimal security that gets them "fat" but doesn't really do the job. Anyone who is working in security recognizes this as a real problem we all face.

I wanted to speak to Wendy about what role open source security can play to raise organizations above the security poverty line.  The open source security community has always been an innovative and dynamic one. In just about every security area there is a viable open source project.  So could open source be the secret weapon in the war on security poverty? 

Wendy and I discuss just this and what her research shows.  You can listen to our 15 minute discussion below.  But let me give you some insight even if you don't listen to the podcast.  The costs of security are not only the hardware and software of the security products.  The human costs of security are equally expensive.  Even deploying open source security projects will take experienced, qualified security know how. That costs money, more money than many organizations can afford.  So open source in and of itself is not going to be a panacea here. 

There are other potential ways to address this problem. Outsourcing security is one way that can spread the cost of security over time. Buying security a slice at a time instead of the whole pie at once.  But again even security as a service so to speak can be more than some companies will budget for security. 

This is an age old problem that those of us in the security space no well.  Every survey done always indicates that security is in the top two or three priorities for every CIO.  However, when it comes time to pony up the money often times their arms are too short to reach their pockets.

Wendy Nather is a great person to learn from, please take the time to listen in and hear more pearls of wisdom from her in our discussion. Also, here is to a speedy and full recovery to Wendy, who was nice enough to record this with me just a few days before having some medical procedures performed. Good thoughts and prayers to you my friend! The security world will not be the same until you are back up to full speed!

Finally many thanks to The 451 Group for making a copy of Wendy's report available for free from the link in this post, it was previously only available to paying customers of the 451 Group.

I am happy to be joined today by the new VP of business development at Firemon, Ward Holloway.

Ward is a veteran of the security industry having served many years at Crossbeam Systems, working with their many partners. Prior to Crossbeam, Ward was with Checkpoint as well.

Ward just joined Firemon and he talks to us about why he joined, what gets him excited about the company and what we may expect in the near and long term future. I have been doing some consulting for Firemon myself, so am of course very excited to have Ward on board.

Enjoy!

As I have written before, I have been doing some consulting for Firemon lately. One of the reasons I do is that I enjoy working and interacting with Jody Brazil, the President of Firemon. I have known Jody for a number of years since he was CTO over at Fishnet Security.

Jody is an easy going guy who I can sit and chat with anytime. It seems before we look up we can spend a hours talking about everything and nothing. That is why we had to be careful to stay on point for our Security.exe podcast this week

Jody tells us about recent events at Firemon, as well as the forthcoming risk analyzer product they will be releasing. We also talk about the general state of security.

Have a listen and enjoy!

On this episode of Security.Exe I had a chance to talk with Lila Kee, VP of Biz Dev and Chief Product Officer at GlobalSign. GlobalSign is owned by CloudGMO, a large internet and technology company located in Asia. GlobalSign is their digital certificate division.

Lila tells us about the company and specifically their BioWrap technology that brings real management and control over access to data. The company recently launched a new initiative in the healthcare sector.

Listen in as Lila tells us all about it.

Enjoy!