137 posts categorized "podcasting"

April 15, 2013

What is the Real Cost of Security?

You were just hired as the Chief Information Security Office (CISO) of a mid-market one thousand employee company. Your first day on the job you are told that the company really hasn’t done anything about information security to this point. You need to submit your prioritized plan and budget by the end of the week! What do you do? This is exactly the scenario that Wendy Nather, Senior Research Director of 451 Research put to literally dozens of CISOs. What they picked, what they think it may cost and the actual cost may really surprise you. Wendy’s new report, “The Real Cost of Security” (warning this is not free unless you are a 451 client) details her findings and analysis.

I had a chance to sit down and chat with Wendy about the report and its findings for Network World. Below you can listen to our conversation where Wendy provides some detail and depth to the report.

Despite all of the buzz about new and more sophisticated attacks, it was surprising that for the top priorities the oft-maligned technologies of firewall and AV were most often picked. In fact of the top 7 choices among CISOs, almost all of them are tried and true traditional products. I guess the old “no one ever gets fired for buying IBM” is still true today. According to the report, these are the top 7 recommended technologies

clip_image002

Figure 1 courtesy of 451 Research

The difference between the purple and gold lines is those that would recommend the technology if all they had was enough for the bare minimum (purple) versus if they had a blank check (gold).

Beyond the top 7, the next tier of choices represent a little more diversity:

clip_image003

Figure 2 courtesy of 451 Research

What was interesting about these next 6 is the wider disparity between the gold and purple lines. This indicates that many CISOs considered these more of an optional choice, but not bare minimum.

I was surprised that App Security and App firewalls were not in the top tier of solutions, given that so many attacks today use Port 80 and Web Apps as their vector of choice.

Bringing up the rear in the survey were the following:

clip_image004

Figure 3 Courtesy of 451 Research

You can see here the very wide disparity between some the minimum requirements and blank check scenario. This plainly labels some of these technologies as “nice to haves” but not required. GRC, NAC and Risk Management and Analysis seem to fall into this category by the widest margin. I was disappointed to see Training have such a wide disparity between minimum and blank check. I think dollar for dollar, security awareness training for your organization is some of the most effective security you can buy.

Beyond picking what technologies to buy, the cost of security as detailed in the report may surprise you. 451 Research looked at not only the cost of the technologies (not easy getting prices out of vendors), but also added in the cost of actually running these security solutions. When the total cost was figured in at a minimum an organization is looking at a budget of $250k. A more realistic budget for a 1000 person organization is probably somewhere between $500k and $800k. If you went all the way, you are closer to $1.2m dollars for security! Another metric from the report is that most organizations have about one security admin for every 500 employees.

What about your organization? What technologies have you deployed and what you are planning to deploy? What is your budget? Do you match the 1 to 500 ratio? There is a ton of great info in this report if you buy it or are lucky enough to be a 451 Research customer.

My full conversation with Wendy is here:

 

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don't necessarily represent IBM's positions, strategies or opinions.

Related articles
Enhanced by Zemanta

Posted at 10:54 AM in CISO, General Security, IBM, IDS/IPS, podcasting, security tips, the security industry | | TrackBack (0)

February 25, 2013

Sunguard Availability Services at RSA 2013

RSA Conference is THE information security event of the year. Kicking off my coverage of RSA this year is a series of podcasts I did with cloud/hosting providers who are exhibiting this year in the partner pavilion of Alert Logic.  

My friends at Alert Logic have 5 of the largest hosting/cloud providers in the world exhibiting with them. I was curious why these cloud and hosting providers wanted to exhibit at a security conference.

The first provider I spoke with was Sunguard. Specicifally Sunguard Availability Services. I spoke with Cara Camping, Product Manager, Managed Security Services for Sunguard AS. Cara talks about Sunguard's approach to security in depth, why they partner with Alert Logic and what they expect from exhibiting at RSA Conference.

Below are two slides that Cara references in our discussion:

Image1

Slide 2

 

Related articles
RSA Conference 2013, YOU READY!?
Where is AShimmy at RSA?
Security Blogger Awards Finalist Voting Is Now Open!

Posted at 09:00 AM in awards and PR, cloud, cloud security, other security companies, podcasting, RSA, tradeshows, Weblogs | | TrackBack (0)

June 27, 2012

Allgress Opens A New Window On Security and Risk Management

Wanted to highlight a podcast that I published on Network World yesterday.  It is about a company called Allgress, which recently emerged from stealth.  Allgress helps with GRC and risk management.  They have built the product based on the feedback and advice of some major CISOs, including Dave Cullanaine formerly from eBay.

I had a chance to sit down and talk with Jeff Bennet, President/COO of Allgress and Dave Cullanine, who needs no introduction to those of us in the security world.

Here are bios of Jeff and Dave:

Dave Cullinane

Dave Cullinane photoDave Cullinane is a globally recognized leader and visionary in the IT security industry. He served for five years as a vice president and Chief Information Security Officer (CISO) for eBay, where he was responsible for global fraud, risk and security strategy and programs that provided security for eBay and its many global businesses, including StubHub, InternetAuction.co, and GSI Commerce. Prior to joining eBay, Dave was the CISO for one of the largest banks in the United States. He has more than 30 years of IT security experience and is a Certified Information Systems Security Professional (CISSP) and a former Certified Business Continuity Professional (CBCP).

Dave is a founding member and chairman of the board of the Cloud Security Alliance (CSA). He is the past president and chairman of the IT-ISAC, an organization dedicated to sharing security related information across companies in the IT industry. He served as a member of the IT Sector Coordinating Council and the National Council of ISACs. He is an ISSA Fellow, and was recently elected to the ISSA Hall of Fame. He serves on ASIS International's CSO Roundtable Committee and is on the Editorial Advisory Board of CSO Magazine and SC Magazine. He was awarded SC Magazine’s Global Award as Chief Security Officer of the Year for 2005 and CSO Magazine’s 2006 Compass Award as a “Visionary Leader of the Security Profession.” In 2012 he was awarded SecureWorld’s first Lifetime Achievement Award for his outstanding contributions to the advancement of the information security community.

Jeff Bennett

Jeff Bennett photoJeff Bennet is the Founder, President and Chief Operating Officer Jeff Bennett brings almost two decades of business leadership, product development, and IT security and compliance industry experience to the company. A serial entrepreneur, he has founded and led several companies, including digital defense services firms SiegeWorks and SiegeWorks International. In 2006, FishNet Security, the nation's leading provider of information security solutions that combine technology, services, support and training, acquired SiegeWorks. Following the acquisition, Bennett served as executive vice president of services at FishNet. He has served on the advisory boards of other leading security providers. Bennett holds a Bachelor of Science Degree in Business Administration from California State University at Hayward.

The podcast is only about 25 minutes. Enjoy!

Posted at 01:03 PM in other security companies, podcasting, the security industry | | TrackBack (0)

June 01, 2012

Security.Exe with Fox Technologies CEO Subash Tantry

subash-tantry2With all of the talk around cloud and mobile, the real killer app for security may very well be identity and access control. There are some great open source solutions around access control, but at the enterprise level more functionality and scale are needed. Fox Technologies has developed that kind of application. I had a chance to sit down and talk with Fox Technologies CEO Subhash Tantry about how Fox is helping companies with both their security and compliance needs. If you are not familiar with Fox Technologies and access control solutions, you should really have a listen.

Enjoy!

 

Posted at 03:38 PM in podcasting | | TrackBack (0)

April 25, 2012

MidMarket In The Cross Hairs: A Security Webinar

IBMI am working with the IBM Midmarket group on a webinar on May 15th at 2pm eastern time.

The webinar: Mid-Market in the Crosshairs: Why Cybercriminals Are Targeting Midsize Organizations and How to Foil Them

We will pay particular attention to the most recent Verizon Data Breach Report as well as other sources to show that midmarket companies are indeed being targeted by cybercriminals.

You can register for the free webinar here.

I am lucky to have two friends and really smart security folks joining me on the panel for the webinar:

hutton1Alex Hutton

Currently, Alex Hutton is a Director of Operational Risk Management for a financial institution in the United States. Included in his responsibilities are both information risk management and vendor management. In his past life he worked for the Verizon Business RISK Team. The Verizon RISK Team builds and hones the risk models for Cybertrust services, produces the Verizon Data Breach Investigation, the Verizon's PCI Compliance report, and is responsible for the VERIS data collection and analysis efforts.

Alex likes risk and security so much, he spends his spare time working on projects and writing about the subject. Some of that work includes contributions to the Cloud Security Alliance documents, the ISM3 security management standard, and work with the Open Group Security Forum.

Alex is a founding member of the Society of Information Risk Analysts(http://societyinforisk.org/), and blogs for their website and records a podcast for the membership. He also blogs at the New School of Information Security Blog(http://www.newschoolsecurity.com). Some of his earlier thoughts on risk can be found at the Riskanalys.is blog (http://www.riskanalys.is).

Mike MurraymikeM

Mike Murray has spent more than a decade helping companies large and small to protect their information by understanding their vulnerability posture from the perspective of an attacker. From his work in the late 90′s as a penetration tester and vulnerability researcher to leadership positions at nCircle, Neohapsis, and Liberty Mutual Insurance Group, his focus has always been on using vulnerability assessment through penetration testing and social engineering to proactively defend organizations. In addition to being in charge of advanced curriculum at The Hacker Academy, Mike is also a Managing Partner of MAD Security, LLC, where he leads engagements to help corporate and government customers understand and protect their security organization.

His years of experience as a vulnerability researcher and leader of research teams have convinced him that the most important system to focus on in information security is the human and organizational systems, and Mike has most recently focused on research into exploitation of those systems. Mike’s talks about how to build a great career in security have been seen at major conferences like RSA, Blackhat and Defcon, and his work on advanced social engineering has been widely recognized. Mike’s thoughts on security can be found on his blog at Episteme.ca and his work on helping build careers can be found at InfoSecLeaders.com.

IBMThis post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

Posted at 11:20 AM in education, friends, IBM, links and appearances, podcasting, Web/Tech | | TrackBack (0)

April 04, 2012

CompTIA CASP and the SBN

rick bauerI am happy to report that the good folks at CompTIA have signed on to be a sponsor of the security bloggers network (SBN). Thanks very much to CompTIA!

If you are not familiar with CompTIA they offer a full range of IT certification courses including some excellent security certifications.  Their newest certification is called CASP which is CompTIA Advanced Security Practitioner.  It is a master level certification for people with significant experience in the field.

I had a chance to speak with Rick Bauer, director of research and development at CompTIA. We spoke about CompTIA, the different certifications they offer and the whole technical certification space.

If you are interested in achieving technical certifications you should certainly look at what CompTIA has to offer. In the meantime you can listen to my conversation with Rick below.

If you are interested in finding out more about CASP or other CompTIA certifications, click the banner to the right.

Posted at 08:04 AM in education, employment, podcasting, security bloggers network, the security industry | | TrackBack (0)

March 06, 2012

User Activity Monitoring (UAM) and Data Theft Webinar

Living down here in South Florida, I am always excited to find out about security companies right here in my own backyard. About a month or so ago I came across Spectorsoft, where my old friend Jeani Park is now working. I don’t know how I missed Spectorsoft before. They have pioneered something they call user activity monitoring (UAM).

I am appearing on a webinar with Spectorsoft tomorrow at 2pm east coast time that will explore how UAM can help prevent data theft. If you are not familiar with Spectorsoft and UAM, you should definitely dial in to the webinar. It’s free of course and by attending you are eligible to win a new iPad3.

User Activity Monitoring allows IT Pros, Security Experts, HR, and Risk Managers to see what users and groups of users are doing. Capturing and replaying how people, departments, and divisions work, which applications and systems they are using, and how they communicate enables organizations to:

  • See who accesses, transfers, and alters protected or confidential information
  • Record and replay work activity to see which individuals and groups are most productive and efficient
  • Capture and review email, IM, and chat communications to be sure your Electronic Acceptable Use Policies are met

Sounds pretty comprehensive I know. I have seen the product in action and can tell you it really does work.  Join us on the webinar tomorrow if you can!

Posted at 09:05 AM in links and appearances, other security companies, podcasting, uam | | TrackBack (0)

January 23, 2012

Just Another Risk Podcast – NOT

Continuing my series of podcasts on all things Risk, I have another great one in this episode.  I am joined by an all star panel of HD Moore, CSO of Rapid7 and founder of Metasploit, Ron Gula, CEO and CTO of Tenable Network Security and Jody Brazil, founder and President of Firemon. With that kind of talent, this is not just another Risk Podcast!

hdjodyron

The four of us discuss some common mistakes people make in risk management.  How vulnerability and pen testing figure into the Risk equation. We even manage to discuss scenario based risk management as exemplified in the Firemon Risk Analyzer. 

Having smart people on the show makes my job easy and fun. This was a very easy and fun podcast. I hope you enjoy!

Related articles
Enhanced by Zemanta

Posted at 01:52 PM in podcasting, security tips, vulnerability management | | TrackBack (0)

January 09, 2012

How Come My Blog/Podcast Wasn’t Nominated?

With last weeks announcement of the finalists for this years Social Security Bloggers Awards there has been the usual buzz about the awards, the Security Bloggers Network and the bloggers meet up.  I want to say from the outset that in total all of the blogs/podcasts nominated as finalists belong there.

Of course there are so many blogs and podcasts that inevitably some worthy ones don’t make the list. This year there has been some questioning of how we pick the finalists and questioning of why certain blog/podcasts were left out. I should say that it seems mostly centered in the podcast category.

As a result I have made a write in option available for qualified voters(more on that in a second) to write in their own selection for best podcast. So far I have a received a handful of write in votes.  That being said though, I wanted to go over how we pick the finalists and what the Social Security Bloggers Awards are all about.

First of all you should know that this year at RSA Conference we will be hosting the 6th annual Security Bloggers Meet up.  You can find out more about it at the RSA Conference blog for Bloggers Meet up, the Bloggers Meet up Facebook page and the Security Bloggers Network.

This is also the 4th year for the Social Security Bloggers Awards. Again you can read more about them on the links above. The idea behind the blogger awards was to recognize some of the leading bloggers in the security arena.  When I first came up with the idea I didn’t think people would get that excited about it.

In the first year of the awards we had judges nominate their choices for finalists (as we have every year since), then we let anyone who registered vote. Well it turned out like so many awards run by other organizations, nothing more than a popularity contest with some people trying to stuff the ballot box.  That was not the spirit that I envisioned with these awards.

The awards really grew out of the Security Bloggers Network which I started 6 or more years ago. While a blog or podcast does not have to be in the SBN to be considered or win an award, it was in that same sense of fostering a community among the security blogging space. 

So going forward I changed the voting for the awards. While our all star panel of judges still picked the finalists, voting was only open to security bloggers.  Each voter had to give their blog or podcast URL with their vote for us to verify. In this way it was an award “by the bloggers, for the bloggers”.  This of course drastically cut down the amount of votes cast, but made it a peer based award similar to the Screen Actor Guild SAG awards.  I thought that was pretty cool.

Each year I try to bring some fresh blood into the judges pool to get new views on what the best blogs and podcasts are.  I also refine and add new categories to hopefully better represent the market. But no matter what is done, there are always going to be some people who feel left out.

So for next year I am already thinking of how we can do this differently. I am open to suggestions. But I will reserve the right on behalf of myself and the bloggers meet up organizing committee to choose what we think is the best method. I want to keep the awards free from ballot box stuffing.

In the meantime I want you all to know that I and many others appreciate all of the great content that the security industry turns out in blogs and podcasts. Thanks to all of you for creating and consuming it. Being nominated or even winning an award is not the payback for why we do this, it is educating and joining in the conversation that keeps us doing it.  So please keep blogging and podcasting!

Posted at 11:46 AM in awards and PR, podcasting, security bloggers network, Weblogs | | TrackBack (0)

December 19, 2011

Risk, Risk, Risk

securityexe podcast logoIn order to effectively manage risk, we need to be able to effectively measure risk.  Before we can ever hope to effectively measure risk, we should all agree on exactly what is the definition of risk.  When something as elementary as defining risk can sow confusion, caveats and so many questions, you know we need to do a better job.

I am joined on this episode of the Security.Exe Podcast by some experts in risk.  I have Alex Hutton, formerly of Verizon and now a top risk officer at a top 25 financial institution, Ben Tomhave (@falconsview) of LockPath and finally last but not least, Jody Brazil of Firemon.

Of course as most of you know I have been looking at risk an awful lot lately as part of working with Jody and the Firemon guys around their Risk Analyzer product. But getting a few really smart people to talk about a concept is a great way to learn. I learned a lot listening to the folks on this episode. I think you will too!

I am thinking of expanding this discussion into perhaps a panel for a conference talk. Let me know what you think.

Enjoy!

 

Related articles
Enhanced by Zemanta

Posted at 12:20 PM in podcasting | | TrackBack (0)

Next »
My Photo

Subscribe to my blog

Enter your email address:

Delivered by FeedBurner

Lijit Search

Blog Networks

Creative Commons License
This work is licensed under a Creative Commons Attribution-Share Alike 2.5 License.

Search

Lijit Search


Attend a Computer Forensics Boot Camp to better your skills and become a better worker

Categories

Blog powered by TypePad
Member since 10/2005

About