Monday, January 30, 2012

Risk Perspectives: The Bigger Picture


Here's a perspective of global risk that juxtaposes cyber-attacks with other global challenges. Check out the set of charts on pages 4-6. This is the type of chart I like to use with students to help them see a bigger picture (perhaps somewhat of an extreme) and difference between the focus on organizational/enterprise risk and technology/IT risk. Many of the students I teach at SMU have IT backgrounds and may start my courses with tunnel vision for only IT concerns.

View/Download: http://www3.weforum.org/docs/WEF_GlobalRisks_Report_2012.pdf
From the Executive Summary: 
"The World Economic Forum’s Global Risks 2012 report is based on a survey of 469 experts from industry, government, academia and civil society that examines 50 global risks across five categories. The report emphasizes the singular effect of a particular constellation of global risks rather than focusing on a single existential risk. Three distinct constellations of risks that present a very serious threat to our future prosperity and security emerged from a review of this year’s set of risks."

Thursday, January 19, 2012

Cisco Cloud Labs

Justin Lute (now over at Qualys) sent this around several months ago. Since then, others have asked for this which is why I'm posting it here.

" It is easy to download N1k & VSG, and install in your lab (there are multiple videos that outline the process). I am providing all the required links in this email. If you want try this in a lab setting, please visit http://cloudlab.cisco.com.

Tuesday, January 17, 2012

Your Number One, Gotta-Have-It, Top Priority, Most Important, Critical Control

Security Awareness. 
Right. You know this. Or you've heard it enough that you accept it. Or perhaps you've heard this and think it's a bunch of hungry capitalists creating a new market opportunity to feed in perpetuity like the leeches clinging to the flesh of their unassuming victims...

Intelligent Agents.
One of the more interesting subjects I've studied that has given me a perspective on the complexity of organizations was Organizational Behavior/Managing Complexity at the McCombs School of Business with Dr. Reuben McDaniel. With the basis of my military experience on submarines as a backdrop, I listened as Dr. McDaniel wove stories together of chaos theory, change agents, and the unbelievable complexity of launching an aircraft off of an aircraft carrier in the middle of the ocean. There are hundreds of people involved at different points in the process to launch a single aircraft. There are thousands of actions. Yet there are so few accidents. The structure and organization shape the direction of each individual's affect on the system to execute the singular complex action of launching a plane off the ship. Each individual is a change agent. These people are among the best trained in the world at what they do.

How does it work? 
No expense is spared to ensure these men and women are equipped with the skills to execute the expected routine actions... and... These men and women are equipped with the skills to execute on the unexpected, respond to the deviations from the norm - to analyze and correct with situational awareness.

It's with similar experiences during complex submerged operations that I related to his stories. It's with that understanding that I have always stood by security awareness as the number one control for any organization. If I can't break your perimeter, then I will shift tactics and social engineer my way into the organization. Your last line of defense? Well trained, expectant, alert, aware, intelligent agents. 

Thursday, January 12, 2012

8TH Annual Dallas CPA Society Education Conference


May 4, 2012 between 8am and 5pm at the Loews Anatole – The Dallas IIA is joining up with the Dallas CPA society (over 6,800 members!) to provide two topics (50 minutes each) for their 8th annual conference (over 1,200 attendees at last year’s event).  Mr. Greg Estes asked for a cutting edge audit related topic that would appeal to corporate CPAs.

I responded with a track discussion covering cloud computing risks. The goal is to share perspective and understanding of outsourced data management and processing.

Here is the topic submission:

Cloud Computing Introduction and Risk Management
Join us on a journey to discover – and understand – the cloud. We’ll open the discussion with a review of Cloud Computing and what its heralded arrival means for your company or your clients. It’s here to stay and transform data management. The cost reduction, operations impact, and business elasticity are real benefits. However, there are also real, tangible, risk factors to consider. We will exam these risk factors and discuss solutions for managing risk in cloud computing environments. Slides and supplemental information will be posted to www.cloudauditcontrols.com.